我正在使用基于java的spring security.我创建了自定义访问决策选民impl.
但是当我运行应用程序时,我无法打开登录页面,因为它说,访问被拒绝.
这是在我添加自定义访问决策选民impl之后发生的.我想问题是由于自定义AccessDecisionVoter中的以下代码.
if(authentication instanceof AnonymousAuthenticationToken)
return ACCESS_DENIED;
但我需要这样,以便不检查未登录用户的权限.
它进入无限循环,登录页面,访问决策选民,访问被拒绝,登录页面等.
下面是spring安全配置代码.
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private AffirmativeBased accessDecisionManager;
@Bean
@Autowired
public AffirmativeBased accessDecisionManager(AccessDecisionVoterImpl accessDecisionVoter) {
List> accessDecisionVoters = new ArrayList>();
accessDecisionVoters.add(accessDecisionVoter);
AffirmativeBased accessDecisionManager = new AffirmativeBased(accessDecisionVoters);
return accessDecisionManager;
}
@Override
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder(){
PasswordEncoder passwordEncoder = new PasswordEncoder();
passwordEncoder.setStringDigester(stringDigester());
return passwordEncoder;
}
@Bean
public PooledStringDigester stringDigester() {
PooledStringDigester psd = new PooledStringDigester();
psd.setPoolSize(2);
psd.setAlgorithm("SHA-256");
psd.setIterations(1000);
psd.setSaltSizeBytes(16);
psd.setSaltGenerator(randomSaltGenerator());
return psd;
}
@Bean
public RandomSaltGenerator randomSaltGenerator() {
RandomSaltGenerator randomSaltGenerator = new RandomSaltGenerator();
return randomSaltGenerator;
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/static/**")
.antMatchers("/i18n/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/checkLogin")
.defaultSuccessUrl("/home")
.failureUrl("/login?login_error=1")
.usernameParameter("username")
.passwordParameter("password")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login?isLoggedOut=1")
.deleteCookies("JSESSIONID")
.invalidateHttpSession(true)
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/login**").permitAll()
.antMatchers("/error**").permitAll()
.antMatchers("/checkLogin**").permitAll()
.anyRequest()
.authenticated()
.accessDecisionManager(accessDecisionManager)
.and()
.exceptionHandling()
.accessDeniedPage("/accessDenied")
.and()
.headers()
.frameOptions()
.disable()
.and()
.sessionManagement()
.invalidSessionUrl("/login")
.maximumSessions(1);
}
}
和我的自定义选民impl
@Component
public class AccessDecisionVoterImpl implements AccessDecisionVoter {
@Autowired
private ModuleService moduleService;
@Override
public boolean supports(ConfigAttribute attribute) {
return true;
}
@Override
public boolean supports(Class clazz) {
return true;
}
@Override
public int vote(Authentication authentication, Object object, Collection collection) {
// i have given this so that if user is not logged in then should not check permission at all
if(authentication instanceof AnonymousAuthenticationToken)
return ACCESS_DENIED;
HttpServletRequest request = ((FilterInvocation) object).getHttpRequest();
String requestedOperation = request.getParameter("operation");
if (requestedOperation != null && !requestedOperation.isEmpty()){
String [] requestURISplit = request.getRequestURI().split("/");
String requestedModuleName = requestURISplit[2];
if(SecurityUtils.hasPermission(requestedModuleName, requestedOperation)){
return ACCESS_GRANTED;
}
} else {
return ACCESS_GRANTED;
}
return ACCESS_DENIED;
此外,当我从选民中删除以下行时,如果用户未登录并尝试访问受保护的页面,则会继续.它应该已重定向到登录页面.
if(authentication instanceof AnonymousAuthenticationToken)
return ACCESS_DENIED;
这是我第一次尝试使用弹簧靴.因此,我不确定所有的配置问题.
antMatchers的顺序有什么问题吗?
请帮忙.
解决方法:
>弃权投票(AccessDecisionVoter.ACCESS_ABSTAIN):如果选民无法做出决定(例如,用户未经授权,无法从请求上下文获取模块等)
> grant access(AccessDecisionVoter.ACCESS_GRANTED):如果可以识别模块并且用户被授权
>拒绝访问(AccessDecisionVoter.ACCESS_DENIED):如果可以识别模块并且用户未被授权
使用AccessDecisionManager配置,您基本上可以取消基于URL的访问限制,例如:
http.authorizeRequests()
.antMatchers("/css/**", "/img/**", "/js/**", "/font/**").permitAll()
.antMatchers("/login**").permitAll()
.antMatchers("/error**").permitAll()
.antMatchers("/checkLogin**").permitAll()
.anyRequest()
.authenticated()
默认情况下,spring为此目的使用WebExpressionVoter.
但是,如果至少有一个AccessDecisionVoter授予对资源的访问权限,则AffirmativeBased AccessDecisionManager将授予访问权限(这可能不是您想要的).
根据您的要求,包含WebExpressionVoter的ConsensusBased AccessDecisionManager将是最佳匹配.
@Bean
public AccessDecisionManager accessDecisionManager() {
List> decisionVoters = new ArrayList<>();
decisionVoters.add(new WebExpressionVoter());
decisionVoters.add(new ModuleAccessDecisionVoter());
ConsensusBased consensusBased = new ConsensusBased(decisionVoters);
// deny access if voters equally voted to allow and deny access
consensusBased.setAllowIfEqualGrantedDeniedDecisions(false);
return consensusBased;
}
您的AccessDecisionVoter实现:
static class ModuleAccessDecisionVoter implements AccessDecisionVoter {
public int vote(Authentication authentication, FilterInvocation object, Collection attributes) {
if (authentication == null || authentication instanceof AnonymousAuthenticationToken) {
return ACCESS_ABSTAIN;
}
// determine module and grant or deny access
// if module cannot be determined abstain from voting
String module = determineModule(object);
if (module != null) {
return isAccessGranted(module, authentication) ? ACCESS_GRANTED : ACCESS_DENIED
}
return ACCESS_ABSTAIN;
}
}
匿名访问应导致以下结果:
> / login:WebExpressionVoter:1,ModuleVoter:0 – > 1 = ACCESS_GRANTED
> / foo-module:WebExpressionVoter:-1,ModuleVoter:-1 – > -2 = ACCESS_DENIED
给定允许查看Foo模块的用户应该产生以下结果:
> / foo-module:WebExpressionVoter:1,ModuleVoter:1 – > 2 = ACCESS_GRANTED
> / bar-module:WebExpressionVoter:1(因为用户已通过身份验证),ModuleVoter:-1 – > 0 = ACCESS_DENIED(因为ConsensusBased.setAllowIfEqualGrantedDeniedDecisions(false))
967
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
