Spring Security允许未经授权的用户从转发访问受限URL
Spring Security 3.2.0.RC2
鉴于:
@Overrideprotected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.antMatchers("/restricted/**").hasRole("admin")
.anyRequest().authenticated()
// etc
;
}
没有管理员角色的用户尝试正确访问/myapp/restricted/foo.request时,会收到HTTP 403。
但是,鉴于:
@Controllerpublic class FooController {
@RequestMapping("/bar.request")
public String bar() {
return "forward:/restricted/foo.request";
}
}
如果用户访问/myapp/bar.request,则将用户转发到受限的/myapp/restricted/foo.request。如何在不显式阻止“
/bar.request”的情况下阻止它?
回答:
@kungfuters是正确的,第一步是确保过滤器首先拦截了该请求。为此,请使用以下web.xml:
<filter> <filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher> <!-- Include FORWARD here -->
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
为此,请使用以下Java配置:
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer { protected EnumSet<DispatcherType> getSecurityDispatcherTypes() {
return return EnumSet.of(DispatcherType.REQUEST, DispatcherType.ERROR, DispatcherType.ASYNC, DispatcherType.FORWARD);
}
}
最后一个是默认情况下,FilterSecurityInterceptor(确保URL受保护的那一部分)将仅拦截REQUEST,而不会拦截其他调度(即转发)。这样做是因为保护转发到的URL很少(通常您会保护进行转发的URL)。为了使您需要在xml配置中使用以下内容,您需要使用http
@ once-per-request = true:
<http once-per-request="true"> <!-- ... -->
</http>
同样,在Java配置中有一个afterPerRequest属性可以使用。例如:
@Overrideprotected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.filterSecurityInterceptorOncePerRequest(false)
// make sure to grant access to any login page you are forwarding to
.antMatchers("/restricted/login").permitAll()
.antMatchers("/restricted/**").hasRole("admin")
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll()
// etc
;
}
以上是 Spring Security允许未经授权的用户从转发访问受限URL 的全部内容, 来源链接: utcz.com/qa/397848.html
