首页 文章

Spring Security改变了请求URI

提问于
浏览
7

我将Spring Security集成到现有的Spring Boot项目中(版本:1.5.3.RELEASE) .

在集成之前,我们通过扩展HandlerInterceptorAdapater的preHandle方法通过getRequestURI从请求中获取重定向信息 .

请求URI正确指向其路径(例如:/ admin / login) .

集成后,请求URI指向jsp的完整路径 .

此外,我们已经向ConfigurableApplicationContext注册了一个ContextUtil类,以进行进一步的URI检查 . 在这个类中,我们获取这样的请求:

public HttpServletRequest getCurrentRequest()
{
    final ServletRequestAttributes servletRequestAttributes = 
    (ServletRequestAttributes) 
    RequestContextHolder.currentRequestAttributes();
    return servletRequestAttributes.getRequest();
}

但是URI也是"physical path"下的 /WEB-INF/

例如:GET请求指向 /WEB-INF/pages/admin/admin_login.jsp

我的 WebSecurityConfig class 是:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        //jeden Aufruf akzeptieren. Authorisierung und 
    Authentifizierung von Spring Security wird nicht genutzt
    http.authorizeRequests().antMatchers("/").permitAll();
}

    @Override
    public void configure(WebSecurity web) throws Exception
    {
    web.ignoring().antMatchers("/resources/**", "/css/**", "/js/**", 
    "/img/**", "resources/*", "/WEB-INF/**").and().debug(true);
    }
}

相关 applicationContext.xml 部分:

<mvc:default-servlet-handler/>
<mvc:annotation-driven/>
<mvc:resources mapping="/resources/**" location="classpath:/WEB-INF/resources/" />

<mvc:interceptors>
    <bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
        <property name="paramName" value="lang" />
    </bean>
    <bean class="de.abc.xyu.zzz.interceptor.RedirectInterceptor" />
</mvc:interceptors>

<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
    <property name="prefix" value="/WEB-INF/pages/" />
    <property name="suffix" value=".jsp" />
    <property name="redirectHttp10Compatible" value="false" />
</bean>

Spring Security的调试日志:

收到GET'/ admin / login'的请求:

org.apache.catalina.connector.RequestFacade@70ad489 servletPath:/ admin / login pathInfo:null headers:host:localhost:8081 connection:keep-alive cache-control:max-age = 0 user-agent:Mozilla / 5.0( X11; Linux x86_64)AppleWebKit / 537.36(KHTML,与Gecko一样)Chrome / 62.0.3202.94 Safari / 537.36升级 - 不安全请求:1接受:text / html,application / xhtml xml,application / xml; q = 0.9,image / webp,image / apng,/; q = 0.8 referer:http:// localhost:8081 / admin / login accept-encoding:gzip,deflate,br accept-language:de-DE,de; q = 0.9,en-US ; q = 0.8,en; q = 0.7 cookie:JSESSIONID = AE07684D485DA698F1AA4DFE056D5B3A; JSESSIONID = 0819B947A685FE3362F23E39CE999D3B安全过滤器链:[WebAsyncManagerIntegrationFilter SecurityContextPersistenceFilter HeaderWriterFilter CsrfFilter LogoutFilter RequestCacheAwareFilter SecurityContextHolderAwareRequestFilter AnonymousAuthenticationFilter SessionManagementFilter ExceptionTranslationFilter FilterSecurityInterceptor] [http-nio-8081-exec-1] INFO Spring Security Debugger -

收到GET'/WEB-INF/pages/admin/admin_login.jsp'的请求:

SecurityContextHolderAwareRequestWrapper [org.springframework.security.web.context.HttpSessionSecurityContextRepository$Servlet3SaveToSessionRequestWrapper@2eac9514] servletPath:/WEB-INF/pages/admin/admin_login.jsp pathInfo:null headers:host:localhost:8081 connection:keep-alive cache- control:max-age = 0 user-agent:Mozilla / 5.0(X11; Linux x86_64)AppleWebKit / 537.36(KHTML,与Gecko一样)Chrome / 62.0.3202.94 Safari / 537.36 upgrade-insecure-requests:1 accept:text / html, application / xhtml xml,application / xml; q = 0.9,image / webp,image / apng,/; q = 0.8 referer:http:// localhost:8081 / admin / login accept-encoding:gzip,deflate,br accept-语言:de-DE,de; q = 0.9,en-US; q = 0.8,en; q = 0.7 cookie:JSESSIONID = AE07684D485DA698F1AA4DFE056D5B3A; JSESSIONID = 0819B947A685FE3362F23E39CE999D3B安全过滤器链:[]为空(被security ='none'绕过)

为什么请求指向/WEB-INF/pages/login.jsp下的物理路径而不是其解析路径,我们如何实现它,我们得到“正确”的URI?

1 回答

  • 1

    最终这对我有用:

    final ServletRequestAttributes servletRequestAttributes = 
        (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
    
    System.out.println("REQUEST URI: " +
         servletRequestAttributes.getRequest()
             .getAttribute("javax.servlet.forward.request_uri"));
    

    这给出了真正的请求URI,而不是/ WEB-INF /下的“物理路径” .

相关问题