使用<filter-chain>标签时,等同于(requires-channel =&#34; https&#34;)</filter-chain>

时间:2014-10-30 14:02:00

标签: spring-security

我在GWT应用程序中使用Spring Security 3.2.5。我需要对安全性进行细粒度控制,因此我使用了以下配置而不是元素:

<beans:bean id="springSecurityFilterChain"
        class="org.springframework.security.web.FilterChainProxy">
        <beans:constructor-arg>
            <beans:list>
                <filter-chain pattern="/css/**" filters="none" />
                <filter-chain pattern="/image/**" filters="none" />
                <filter-chain pattern="/index.jsp" filters="none" />
                <filter-chain pattern="/**/logout" filters="logoutFilter" />
                <filter-chain pattern="/**"
                    filters="securityContextPersistenceFilterWithASCTrue, concurrentSessionFilter, usernamePasswordAuthenticationFilter, exceptionTranslationFilter, filterSecurityInterceptor" />
           </beans:list>
        </beans:constructor-arg>
</beans:bean>

我省略了特定的过滤器实现。

我需要强制上面的大多数过滤器链使用https,就像使用标签一样,如下例所示:

<security:intercept-url pattern="/reports" access="ROLE_ADMIN" requires-channel="https"/>

我怎样才能做到这一点?

编辑1:添加ChannelProcessingFilter

关注@luke回答我修改了我的代码,因此频道过滤器位于过滤器链的第一个位置:

<filter-chain pattern="/**"
    filters="channelProcessingFilter, securityContextPersistenceFilterWithASCTrue, ..." />

我还添加了以下bean配置:

<!-- Ensure https channel -->
    <beans:bean id="filterSecurityInterceptor"
        class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="accessDecisionManager" ref="accessDecisionManager" />
        <beans:property name="securityMetadataSource">
            <filter-security-metadata-source>
                <intercept-url pattern="/**" access="ROLE_USER" />
            </filter-security-metadata-source>
        </beans:property>
    </beans:bean>

    <beans:bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
        <beans:property name="channelDecisionManager" ref="channelDecisionManager"/>
        <beans:property name="securityMetadataSource">
            <filter-security-metadata-source request-matcher="ant">
                <intercept-url pattern="/**" access="REQUIRES_SECURE_CHANNEL"/>
            </filter-security-metadata-source>
        </beans:property>
    </beans:bean>

    <beans:bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
        <beans:property name="channelProcessors">
            <beans:list>
                <beans:ref bean="secureChannelProcessor"/>
                <beans:ref bean="insecureChannelProcessor"/>
            </beans:list>
        </beans:property>
    </beans:bean>

    <beans:bean id="secureChannelProcessor" class="org.springframework.security.web.access.channel.SecureChannelProcessor" />
    <beans:bean id="insecureChannelProcessor" class="org.springframework.security.web.access.channel.InsecureChannelProcessor" />

现在问题是我在通过http提交登录表单后获得了无限循环。当然,我想避免这种情况,但无限循环是不对的。这是相关的日志:

  

DEBUG o.s.s.w.FilterChainProxy 337 - / j_spring_security_check at at   在附加过滤链中的位置1的6;射击过滤器:   &#39; ChannelProcessingFilter&#39;

     

DEBUG o.s.s.w.a.c.ChannelProcessingFilter 134    - 请求:FilterInvocation:URL:/ j_spring_security_check; ConfigAttributes:[REQUIRES_SECURE_CHANNEL] 2014-10-30 19:47:10,565

     

DEBUG o.s.s.w.a.c.RetryWithHttpsEntryPoint 55 - 重定向到:   / j_spring_security_check 2014-10-30 19:47:10,567调试   o.s.s.w.DefaultRedirectStrategy 36 - 重定向到   &#39; / j_spring_security_check&#39;

有什么想法吗?

1 个答案:

答案 0 :(得分:1)

您需要ChannelProcesingFilter

如果您只需要HTTPS来访问您的所有网站,那就最好了。如果您从一开始就使用HTTPS,那么它才是真正安全的。理想情况下,您还希望使用HSTS将其传达给客户。

相关问题
最新问题