堆栈内存溢出
  繁体   English   中英

Spring Security OAuth2在重定向之前操纵请求URL

[英]spring security oauth2 manipulate request url before redirect

 原文  2017-06-06 07:30:59       spring/ spring-security/ spring-security-oauth2

问题描述

我有一个使用春季安全性OAuth2保护的Vaadin应用程序。 除偶尔使用PUSH或HEARTBEAT端点首先请求然后触发身份验证过程,并且用户最终进入错误的页面(这些端点不应被用户直接访问)之外,此方法工作正常。

一个简单但不安全的解决方案是在这些端点上允许permitAll() 但是,由于这构成了威胁,我需要解决这个问题。

为此,我想解析并可能在成功身份验证重定向到请求URL之前对其进行编辑。 我将如何去做呢?

我想我需要在链中的某处添加一个过滤器以拦截请求并对其进行编辑。 但是我不确定在哪里。

这是我的客户: 

@Configuration
@EnableOAuth2Sso
public class OAuthConfig extends WebSecurityConfigurerAdapter
{

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers("/login**").permitAll()
                .antMatchers("/vaadinServlet/PUSH/**").permitAll()          //todo fix this hole
                .antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()      //todo fix this hole
                .anyRequest().authenticated()
                .and()
                .logout()
                .logoutSuccessUrl("/")
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"));

    }

    @Override
    public void configure(WebSecurity web) throws Exception
    {
        web.ignoring().antMatchers("/css/*").antMatchers("/VAADIN/**"); // Static resources are ignored
    }

}

和服务器: 

@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter
{
//jwt token stuff & my own client/auth providers. Should not be important.
...
}

服务器登录表格: 

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{

    @Autowired
    private RestAuthenticationProvider authenticationProvider;

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception
    {
        auth.authenticationProvider(authenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/forgetPassword*").permitAll()
                .antMatchers(HttpMethod.POST,"/user/resetPassword*").permitAll()
                .antMatchers(HttpMethod.GET,"/user/changePassword*").permitAll()
                .antMatchers("/user/updatePassword*", "/user/savePassword*", "/updatePassword*")
                .hasAnyAuthority("CHANGE_PASSWORD_PRIVILEGE","ROLE_USER")
                .anyRequest().authenticated()
                .and()
                    .formLogin()
                    .loginPage("/login")
                    .permitAll()
                .and()
                    .csrf().csrfTokenRepository(csrfTokenRepository());
    }

    private CsrfTokenRepository csrfTokenRepository()
    {
        HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
        repository.setHeaderName("X-XSRF-TOKEN");
        return repository;
    }

}

1 个解决方案

解决方案1
 0  2017-06-06 07:47:54

只需在您的项目中添加一些实现

1:创建身份验证失败处理程序 

@Component
public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {


    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
        System.out.print("here failure");



        String s=request.getParameter("username");
        setDefaultFailureUrl("/login?error&username="+s);
        super.onAuthenticationFailure(request,response,exception);
    }

}

2:身份验证成功处理程序 

@Component
public class CustomAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request , HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        /* custom Block 
Do any thing here
  */

        setDefaultTargetUrl("/home/");
        super.onAuthenticationSuccess(request,response,authentication);
    }
}

3:访问请求入口点 

@Component
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
        System.out.print("Unauthorized Access");

        httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
    }
}

根据您的要求实施组件。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring 安全 Oauth2:无效重定向 url Spring 5安全性OAuth2登录重定向循环 Spring Boot + OAuth2安全和请求过滤器 令牌URL因Spring Security OAuth2而失败 Spring oauth2 不重定向到原始 url Spring OAuth2隐式流重定向URL 带有oAuth2 / oAuth / Token请求405方法的Spring Security不允许 带有JWT的Spring Security OAuth2重定向到登录页面 Spring Security OAuth 2.0 Google:在未经授权的请求后重定向到默认 URL 而不是请求的 URL Spring Security OAuth2中的JSON请求无法运行tomcat 9
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM