Spring(引导)安全性预认证,允许的资源仍通过认证

  • Z时代
  • 2024-01-10
  • 分类:问答

我正在使用Spring Boot 1.5.6(也已经尝试过1.5.4)。我正在使用

RequestHeaderAuthenticationFilter

和一个

PreAuthenticatedAuthenticationProvider

以保护我的spring mvc Web应用程序,并允许访问控制器路径和静态资源。

在我的

RequestHeaderAuthenticationFilter

设置我想要的

setExceptionIfHeaderMissing(true);

这样我就知道是否已在请求中发送了标头变量。

当我尝试访问任何允许的资源时,Spring Security总是在请求中查找标头变量并抛出一个

PreAuthenticatedCredentialsNotFoundException

为什么即使我尝试访问允许的(不受保护的)资源,Spring Security仍然尝试查找经过预身份验证的主体?我该如何规避这种行为?

我的WebSecurityConfigurerAdapter的Java配置如下

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
private static final Logger log = LoggerFactory.getLogger(SecurityConfig.class);
@Autowired
protected UserDetailsService userDetailsService;
@Bean
public PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider(){
    log.info("Configuring pre authentication provider");
    UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = 
            new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(
                    userDetailsService);
    PreAuthenticatedAuthenticationProvider it = new PreAuthenticatedAuthenticationProvider();
    it.setPreAuthenticatedUserDetailsService(wrapper);
    return it;      
}
@Bean
public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter() throws Exception{
    RequestHeaderAuthenticationFilter it = new RequestHeaderAuthenticationFilter();
    it.setAuthenticationManager(authenticationManager());
    it.setExceptionIfHeaderMissing(true);
    return it;
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
    log.info("configure authentication provider");
    auth.authenticationProvider(preAuthenticatedAuthenticationProvider());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
    log.info("Configure HttpSecurity");
    http
        .authorizeRequests()
            .antMatchers("/permitted/**", "/css/**", "/js/**", "/images/**", "/webjars/**")
                .permitAll()
            .anyRequest()
                    .authenticated()
            .and().addFilter(requestHeaderAuthenticationFilter())
    ;
}
 @Override
 public void configure(WebSecurity web) throws Exception {
     web
        .ignoring()
            .antMatchers("/permitted/**", "/css/**", "/js/**", "/images/**", "/webjars/**"); 
}   
}

回答:

我遇到了同样的问题,事实证明,这与以下事实有关:除了在SecurityFilterChain中注册之外,Spring

Boot还在Servlet上下文中注册了RequestHeaderAuthenticationFilter。解决方案是使用FilterRegistrationBean来防止Boot向Servlet上下文自动注册过滤器。

以上是 Spring(引导)安全性预认证,允许的资源仍通过认证 的全部内容, 来源链接: utcz.com/qa/409166.html

回到顶部