applicare la protezione=none per la radice del contesto e risorse statiche : spring security versione 3.1

mia domanda compilato in RADICE.guerra che fondamentalmente significa che non hanno un contesto root /. Ci sono pagine che devono essere assicurati; tuttavia, ci sono gli Url che non ne ha bisogno; per esempio il mio http://localhost:8080/ dà la home page dell’applicazione; e ci sono pagine simili come su di noi, contattaci, ecc dove la sicurezza non è necessario. Così lo aggiungo alla configurazione

  <security:intercept-url pattern="/" access="permitAll" />
  <security:intercept-url pattern="/resources/**" access="permitAll" />
  <security:intercept-url pattern="/register/confirm" access="isAuthenticated()" />
  <security:intercept-url pattern="/register/accept" access="isAuthenticated()" />
  <security:intercept-url pattern="/shopper/**" access="isAuthenticated()" />

ma questo dice solo che gli utenti sono autorizzati ad accedere a questi URL “senza autenticazione”se si accede a questi Url protezione filtri vengono applicati, come si vede qui di seguito il log di debug

DEBUG: org.springframework.security.web.FilterChainProxy - /at position 1 of 12 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG: org.springframework.security.web.FilterChainProxy - /at position 3 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /at position 4 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /at position 5 of 12 in additional filter chain; firing Filter: 'OpenIDAuthenticationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /at position 6 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG: org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.sprin[email protected]9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG: org.springframework.security.web.FilterChainProxy - /at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/'; against '/'
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /; Attributes: [permitAll]
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAu[email protected]: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG: org.springframework.security.access.vote.AffirmativeBased - Voter: org.sp[email protected]2b06c17b, returned: 1
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Authorization successful
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - RunAsManager did not change Authentication object
DEBUG: org.springframework.security.web.FilterChainProxy - /reached end of additional filter chain; proceeding with original chain
DEBUG: org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'appServlet' processing GET request for [/

]

Quando provo a usare questa configurazione (sequenza di cui sotto):

 <!-- No Security required for the ROOT Context -->
  <security:http pattern="/**" security="none" />

 <!-- Apply secyrity for shopper URLs -->
 <security:http auto-config="true" use-expressions="true" access-denied-page="/denied">
  <security:intercept-url pattern="/" access="permitAll" />
  <security:intercept-url pattern="/resources/**" access="permitAll" />
  <security:intercept-url pattern="/register/confirm" access="isAuthenticated()" />
  <security:intercept-url pattern="/register/accept" access="isAuthenticated()" />
  <security:intercept-url pattern="/shopper/**" access="isAuthenticated()" /
 ....
  </security:http>

<security:http pattern="/resources/**" security="none" />

Si rompe dando l’errore

DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/auth/login'; against '/'
DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/auth/login'; against '/resources/**'
DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/auth/login'; against '/register/confirm'
DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/auth/login'; against '/register/accept'
DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/auth/login'; against '/shopper/**'
DEBUG: org.springframework.security.config.http.DefaultFilterChainValidator - No access attributes defined for login page URL
INFO : org.springframework.beans.factory.support.DefaultListableBeanFactory - Destroying singletons in org.s[email protected]5bebacc8: defining beans [placeholderConfig,dataSource,entityManagerFactory,org.springframework.aop.config.internalAutoProxyCreator,org.springframework.transaction.annotation.AnnotationTransactionAttributeSource#0,org.springframework.transaction.interceptor.TransactionInterceptor#0,org.springframework.transaction.config.internalTransactionAdvisor,transactionManager,org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor#0,registrationService,shopperService,org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,org.springframework.context.annotation.internalPersistenceAnnotationProcessor,org.springframework.security.filterChains,org.springframework.security.filterChainProxy,org.springframework.security.web.PortMapperImpl#0,org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0,org.springframework.security.authentication.ProviderManager#0,org.springframework.security.web.context.HttpSessionSecurityContextRepository#0,org.springframework.security.core.session.SessionRegistryImpl#0,org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy#0,org.springframework.security.web.savedrequest.HttpSessionRequestCache#0,org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler#0,org.springframework.security.access.vote.AffirmativeBased#0,org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0,org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator#0,org.springframework.security.authentication.AnonymousAuthenticationProvider#0,org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint#0,org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0,org.springframework.security.openid.OpenIDAuthenticationFilter#0,org.springframework.security.openid.OpenIDAuthenticationProvider#0,org.springframework.security.userDetailsServiceFactory,org.springframework.security.web.DefaultSecurityFilterChain#0,org.springframework.security.web.DefaultSecurityFilterChain#1,org.springframework.security.authentication.dao.DaoAuthenticationProvider#0,org.springframework.security.authentication.DefaultAuthenticationEventPublisher#0,org.springframework.security.authenticationManager,passwordEncoder,registrationAwareUserDetailsService,registrationAwareAuthSuccessHandler,org.springframework.context.annotation.ConfigurationClassPostProcessor$ImportAwareBeanPostProcessor#0]; root of factory hierarchy
INFO : org.hibernate.impl.SessionFactoryImpl - closing
ERROR: org.springframework.web.context.ContextLoader - Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChainProxy': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined  before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration

Non riesco a capire il motivo dietro a tutto questo. Devo implementare il proprio modello di richiesta matcher?

Soluzione

 <beans:bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy" >
 <beans:constructor-arg>
  <beans:list>
   <security:filter-chain pattern="/resources/**"
    filters="none" />
   <security:filter-chain pattern="/aboutus"
    filters="none" />   
   <security:filter-chain pattern="/contactus"
    filters="none" />
   <security:filter-chain pattern="/news"
    filters="none" />    
  </beans:list>
 </beans:constructor-arg>
</beans:bean>

OriginaleL’autore Anadi Misra | 2012-05-09

2 risposte

  1. 4

    security="none" con il modello /** cattura tutti gli Url, in modo che nessun altra regola può essere applicata. Qual è il motivo di errore viene visualizzato nel secondo esempio.

    Ma è possibile definire diversi filter-chains per diversi URL-pattern. Non ho un esempio di questo con la nuova sintassi, ma qui è un esempio con la vecchia sintassi (ordine di filter-chains è importante):

    <bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
        <sec:filter-chain-map path-type="ant">
            <sec:filter-chain pattern="/dwr/**" filters="securityContextPersistenceFilter,securityContextHolderAwareRequestFilter,rememberMeAuthenticationFilter,anonymousAuthenticationFilter" />
            <sec:filter-chain pattern="/**" filters="channelProcessingFilter,securityContextPersistenceFilter,logoutFilter,authenticationFilter,securityContextHolderAwareRequestFilter,rememberMeAuthenticationFilter,anonymousAuthenticationFilter,sessionManagementFilter,exceptionTranslationFilter,filterSecurityInterceptor,switchUserProcessingFilter" />
        </sec:filter-chain-map>
    </bean>
    
    Aggiornamento: che va da la risposta che ho rimosso il primo tag, cioè <!– Nessun grado di Sicurezza necessario per il ROOT Contesto –> <sicurezza:http pattern=”/**” sicurezza=”none” /> il secondo rimane .io.e. la configurazione per le risorse; ma ho ancora lo stesso errore.
    Lei ha detto che si ricevono lo stesso messaggio contenente la frase A universal match pattern ('/**') is defined before other patterns? Forse si è dimenticato di ridistribuire?
    PER essere precisi, ci sono gli Url dove non voglio alcun tipo di filtri da applicare; io la vedo come inutili passaggi di elaborazione della richiesta e si vuole fare con esso.
    Io sono in esecuzione da Eclipse così ho pulito e ripubblicato prima di avviare il server tomcat.
    Risolto: aggiunta di filtri=nessuno nella configurazione del filtro catena di proxy per l’URL zampetta ho voluto escludere. Simile l’approccio hai detto, ma 3.1.0 è un argomento del costruttore di iniezione a base di sintassi

    OriginaleL’autore Vadim Ponomarev

  2. 3

    Un aggiornamento:

    Ecco la sintassi ho finalmente scelto di aderire; si rende XML molto più facile da leggere e comprendere

     <!-- Non secure URLs -->
     <security:http pattern="/" security='none' /> 
     <security:http pattern="/home" security='none' />
     <security:http pattern="/aboutus" security='none' />
     ...
     ...
     <security:http pattern="/resources/**" security='none' />
     <security:http pattern="/favicon.ico" security='none' />
    
     <!-- URLs under security config -->
      <security:http auto-config="true" use-expressions="true" pattern="/admin/**" access-denied-page="/denied">
             <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" requires-channel="https" />
      </security:http>
    

    Spero che questo aiuta.

    OriginaleL’autore Anadi Misra

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *