问题
I'm using Spring Security via Spring Boot 1.59 and am having an issue securing URLs dynamically
Below is my configure method:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
//.antMatchers("/home").access("hasAnyRole('ROLE_USER','ROLE_ADMIN')")
//.antMatchers("/home3").access("hasRole('ROLE_ADMIN')")
.and()
.formLogin().loginPage("/login").permitAll()
.loginProcessingUrl("/myLogin")
.usernameParameter("my_username").passwordParameter("my_password")
.defaultSuccessUrl("/home")
.and()
.logout()
.logoutUrl("/myLogout")
.logoutSuccessUrl("/login?logout")
.and()
.exceptionHandling().accessDeniedPage("/403")
.and()
.csrf().disable();
}
I have a custom FilterInvocationSecurityMetadataSource as below:
@Component
public class CustomFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource
{
protected Logger log = Logger.getLogger(CustomFilterInvocationSecurityMetadataSource.class.getName());
@Override
public Collection<ConfigAttribute> getAttributes(Object object)
{
FilterInvocation fi = (FilterInvocation) object;
String url = fi.getRequestUrl();
log.info("URL:" + url);
// Will eventually come from database
//List<ConfigAttribute> attributes = SecurityConfig.createList("permitAll");
//List<ConfigAttribute> attributes = SecurityConfig.createList("hasRole('ROLE_ADMIN')");
//List<ConfigAttribute> attributes = SecurityConfig.createList("ROLE_ADMIN");
List<ConfigAttribute> attributes = SecurityConfig.createList("permitAll");
if (!url.equalsIgnoreCase("/login") && !url.contains("/javax.faces.resource/") && !url.contains("/resources/images/"))
return attributes;
else
return null;
}
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
@Override
public boolean supports(Class<?> clazz) {
return FilterInvocation.class.isAssignableFrom(clazz);
}
}
and I have a BeanPostProcessor to update the namespace FilterSecurityInterceptor with my custom FilterInvocationSecurityMetadataSource:
@Component
public class MyFilterSecurityInterceptorBeanPostProcessor implements BeanPostProcessor {
@Autowired
CustomFilterInvocationSecurityMetadataSource customFilterInvocationSecurityMetadataSource;
@Override
public Object postProcessBeforeInitialization(Object bean, String name) throws BeansException {
return bean;
}
@Override
public Object postProcessAfterInitialization(Object bean, String name) throws BeansException {
if (bean instanceof FilterSecurityInterceptor) {
((FilterSecurityInterceptor) bean).setSecurityMetadataSource(customFilterInvocationSecurityMetadataSource);
}
return bean;
}
}
When I un-comment the antMatchers for /home and /home3 in the configure method and do not use the custom FilterInvocationSecurityMetadataSource and BeanPostProcessor, I can reach /home and /home3 without issue.
The problem I'm having however is that whenever I comment out the antMatchers and attempt to use the custom FilterInvocationSecurityMetadataSource and BeanPostProcessor to provide the access roles, I receive a 403 Forbidden when attempting to reach /home and /home3.
If I return a null from CustomFilterInvocationSecurityMetadataSource it will allow the request to go through successfully, however any request which returns any access role including 'permitAll' returns the 403. Does anyone have any idea why this is happening? Am I missing something? Any help is greatly appreciated!
Thank you!
来源:https://stackoverflow.com/questions/48635647/spring-security-issue-with-securing-urls-dynamically