为具有特定请求标头的请求切换 Spring Security
我正在尝试为所有具有特定 Request Header的请求切换/绕过/禁用 Spring Security(身份验证和授权)。
例如,如果请求 url 被该请求头命中,则应绕过 Spring Security,否则不应绕过。
为此,我使用以下requestMatchers Spring Security 配置:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers(HttpMethod.GET)
.antMatchers(HttpMethod.OPTIONS)
.requestMatchers(new RequestHeaderRequestMatcher("TEST-HEADER","TEST-VALUE"));
}
我剩下的安全配置是:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity (prePostEnabled = true)
@ConditionalOnProperty (name = "security.enabled", havingValue = "true", matchIfMissing = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private SecurityProps securityProps;
@Autowired
private MyUserDetailsService myUserDetailsService;
@Autowired
private MyAuthenticationEntryPoint myAuthenticationEntryPoint;
@Autowired
private MyCORSFilter myCORSFilter;
public SecurityConfig() {
SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable()
.addFilterBefore(myCORSFilter, SessionManagementFilter.class)
.addFilterBefore(requestHeaderFilter(), RequestHeaderAuthenticationFilter.class)
.authenticationProvider(preauthAuthProvider())
.authorizeRequests()
.antMatchers(HttpMethod.GET, securityProps.getNoAuthGetPattern()).permitAll()
.antMatchers(HttpMethod.OPTIONS, securityProps.getNoAuthOptionsPattern()).permitAll()
.requestMatchers(new RequestHeaderRequestMatcher("TEST-HEADER","TEST-VALUE")).permitAll()
.anyRequest().authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(myAuthenticationEntryPoint);
}
白板的微信1回答
-
弑天下
我认为你的旁路工作正常。它跳过检查。安全的授权检查部分从 SecurityContext 中获取经过身份验证的对象,当请求通过 spring 安全过滤器时将设置该对象。因此,当您跳过安全过滤器 SecurityContext 尚未设置因此错误你可以做这样的事情来为你的自定义标题案例手动设置try { SecurityContext ctx = SecurityContextHolder.createEmptyContext(); SecurityContextHolder.setContext(ctx); ctx.setAuthentication(event.getAuthentication());} finally { SecurityContextHolder.clearContext();}编辑1:解答所有疑问。但如果是这样,那么我猜所有 GET 调用也应该失败,但我的 GET 调用工作正常。由于您添加了这一行,因此安全检查会跳过所有 GET 调用。.antMatchers(HttpMethod.GET, securityProps.getNoAuthGetPattern()).permitAll()我在哪里可以添加你提到的代码?任何特定的过滤器或其他地方?我在过滤器中做过类似的事情。参考这里看TokenAuthenticationFilterClass in Answer。在哪里手动设置。注意:它的 JWT 实现但很好参考UserDetails userDetails = userDetailsService.loadUserByUsername(username);if (tokenHelper.validateToken(authToken, userDetails)) { // create authentication TokenBasedAuthentication authentication = new TokenBasedAuthentication(userDetails); authentication.setToken(authToken); SecurityContextHolder.getContext().setAuthentication(authentication);}您的答案中的事件是什么?我刚刚从 Some Answer 那里得到了那个案例,现在找不到它的链接。但你可以setAuthentication喜欢这个或喜欢上面Authentication authentication = new PreAuthenticatedAuthenticationToken("system", null);authentication.setAuthenticated(true);context.setAuthentication(authentication);
随时随地看视频慕课网APP
相关分类
Java