[英]Spring Security: exclude an URL from SiteMinder
我對Spring Security和SiteMinder有疑問。
通常,我對所有頁面的所有請求都使用SM_USER標頭,但是這次我需要排除一個URL:它將發送不帶SM_USER標頭的請求。
我使用Java配置:
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// for class CustomUserDetailsService I configured how I get the list of
// user authorities with the content of SM_USER header
userDetailsService = new CustomUserDetailsService();
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(
userDetailsService);
preAuthenticatedProvider = new PreAuthenticatedAuthenticationProvider();
preAuthenticatedProvider.setPreAuthenticatedUserDetailsService(wrapper);
auth.authenticationProvider(preAuthenticatedProvider);
log.debug("global security configuration was successfull");
}
然后添加不同URL的權限:
@Override
protected void configure(HttpSecurity http) throws Exception {
RequestHeaderAuthenticationFilter siteMinderFilter = new RequestHeaderAuthenticationFilter();
siteMinderFilter.setPrincipalRequestHeader("SM_USER");
siteMinderFilter.setAuthenticationManager(authenticationManager());
http.addFilter(siteMinderFilter);
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http.authorizeRequests();
//adding an authority to URL containing SM_USEr_URL
registry.antMatchers(HttpMethod.GET, "**/SM_USER_URL/**").hasAuthority("authority1");
//here I try to exclude the URL from Siteminder.
registry.antMatchers(HttpMethod.GET, "**/ExcludedPage/**").permitAll();
}
我的問題是,對於ExcludedPage URL的請求,除了以下例外,我什么也沒得到:
org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException: SM_USER header not found in request.
而且,我根本無法為此頁面設置過濾器,因為它根本不需要任何SM_USER標頭。
先感謝您。
為每個應該接受 siteminder的URL添加
http.antMatcher(SM_USER_URL).addFilter(siteMinderFilter);
您缺少的是RequestHeaderAuthenticationFilter
的正確行為。 嘗試將setExceptionIfHeaderMissing
為false,如下所示:
@Override
protected void configure(HttpSecurity http) throws Exception {
RequestHeaderAuthenticationFilter siteMinderFilter = new RequestHeaderAuthenticationFilter();
siteMinderFilter.setPrincipalRequestHeader("SM_USER");
siteMinderFilter.setAuthenticationManager(authenticationManager());
->siteMinderFilter.setExceptionIfHeaderMissing(false);
...
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.