gpt4 book ai didi

java - Spring Security 忽略失败的身份验证

转载 作者:行者123 更新时间:2023-12-02 05:37:54 25 4
gpt4 key购买 nike

我正在设置 Spring Security。我的 CookieAuthenticationFilter 应该确保将用户拒之门外,除非他们拥有带有我们接受的 UUID 的 cookie。尽管如果 UUID 不被接受,CookieAuthenticationFilter 将设置一个空上下文,但我仍然可以访问所有 URL。

知道缺少什么吗?

这是我的安全配置:

@Configuration
@EnableWebMvcSecurity
public class LIRSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilter(cookieAuthenticationFilter())
.authorizeRequests()
.antMatchers("/**").hasAnyAuthority("ALL");
}

@Bean
public CookieAuthenticationFilter cookieAuthenticationFilter() {
return new CookieAuthenticationFilter(cookieService());
}

private CookieService cookieService() {
return new CookieService.Impl();
}

@Bean(name = "springSecurityFilterChain")
public FilterChainProxy getFilterChainProxy() {
SecurityFilterChain chain = new SecurityFilterChain() {

@Override
public boolean matches(HttpServletRequest request) {
// All goes through here
return true;
}

@Override
public List<Filter> getFilters() {
List<Filter> filters = new ArrayList<Filter>();
filters.add(cookieAuthenticationFilter());
return filters;
}
};
return new FilterChainProxy(chain);
}

}

这是 CookieAuthenticationFilter 实现:

public class CookieAuthenticationFilter extends GenericFilterBean {

@Resource
protected AuthenticationService authenticationService;

private CookieService cookieService;

public CookieAuthenticationFilter(CookieService cookieService) {
super();
this.cookieService = cookieService;
}

@Override
public void doFilter(ServletRequest req, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
UUID uuid = cookieService.extractUUID(request.getCookies());

UserInfo userInfo = authenticationService.findBySessionKey(uuid);
SecurityContext securityContext = null;
if (userInfo != null) {
securityContext = new CookieSecurityContext(userInfo);
SecurityContextHolder.setContext(securityContext);
} else {
securityContext = SecurityContextHolder.createEmptyContext();
}

try {
SecurityContextHolder.setContext(securityContext);
chain.doFilter(request, response);
}
finally {
// Free the thread of the context
SecurityContextHolder.clearContext();
}
}

}

最佳答案

这里的问题是你不想使用GenericFilterBean,因为它实际上不是 Spring Security 框架的一部分,只是常规 Spring,所以它不知道如何发送回安全相关的消息到浏览器或拒绝访问等。如果您确实想使用 GenericFilterBean,您需要自己处理重定向或 401 响应。或者,查看作为 Spring Security 框架一部分的 AbstractPreAuthenticatedProcessingFilter。这里有一些文档:http://docs.spring.io/spring-security/site/docs/3.0.x/reference/preauth.html

关于java - Spring Security 忽略失败的身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/24807311/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com