Spring Security(三十七):Part IV. Web Application Security
Most Spring Security users will be using the framework in applications which make user of HTTP and the Servlet API. In this part, we’ll take a look at how Spring Security provides authentication and access-control features for the web layer of an application. We’ll look behind the facade of the namespace and see which classes and interfaces are actually assembled to provide web-layer security. In some situations it is necessary to use traditional bean configuration to provide full control over the configuration, so we’ll also see how to configure these classes directly without the namespace.
13. The Security Filter Chain
Spring Security’s web infrastructure is based entirely on standard servlet filters. It doesn’t use servlets or any other servlet-based frameworks (such as Spring MVC) internally, so it has no strong links to any particular web technology. It deals in HttpServletRequest
s and HttpServletResponse
s and doesn’t care whether the requests come from a browser, a web service client, an HttpInvoker
or an AJAX application.
13.1 DelegatingFilterProxy
When using servlet filters, you obviously need to declare them in your web.xml
, or they will be ignored by the servlet container. In Spring Security, the filter classes are also Spring beans defined in the application context and thus able to take advantage of Spring’s rich dependency-injection facilities and lifecycle interfaces. Spring’s DelegatingFilterProxy
provides the link between web.xml
and the application context.
DelegatingFilterProxy
, you will see something like this in the web.xml
file:<filter>
<filter-name>myFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter> <filter-mapping>
<filter-name>myFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Notice that the filter is actually a DelegatingFilterProxy
, and not the class that will actually implement the logic of the filter. What DelegatingFilterProxy
does is delegate the Filter
's methods through to a bean which is obtained from the Spring application context. This enables the bean to benefit from the Spring web application context lifecycle support and configuration flexibility. The bean must implement javax.servlet.Filter
and it must have the same name as that in the filter-name
element. Read the Javadoc for DelegatingFilterProxy
for more information
13.2 FilterChainProxy
Spring Security’s web infrastructure should only be used by delegating to an instance of FilterChainProxy
. The security filters should not be used by themselves. In theory you could declare each Spring Security filter bean that you require in your application context file and add a corresponding DelegatingFilterProxy
entry to web.xml
for each filter, making sure that they are ordered correctly, but this would be cumbersome and would clutter up the web.xml
file quickly if you have a lot of filters. FilterChainProxy
lets us add a single entry to web.xml
and deal entirely with the application context file for managing our web security beans. It is wired using a DelegatingFilterProxy
, just like in the example above, but with the filter-name
set to the bean name "filterChainProxy". The filter chain is then declared in the application context with the same bean name. Here’s an example:
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<sec:filter-chain pattern="/restful/**" filters="
securityContextPersistenceFilterWithASCFalse,
basicAuthenticationFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
<sec:filter-chain pattern="/**" filters="
securityContextPersistenceFilterWithASCTrue,
formLoginFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
</list>
</constructor-arg>
</bean>
The namespace element filter-chain
is used for convenience to set up the security filter chain(s) which are required within the application. [6]. It maps a particular URL pattern to a list of filters built up from the bean names specified in the filters
element, and combines them in a bean of type SecurityFilterChain
. The pattern
attribute takes an Ant Paths and the most specific URIs should appear first [7]. At runtime the FilterChainProxy
will locate the first URI pattern that matches the current web request and the list of filter beans specified by the filters
attribute will be applied to that request. The filters will be invoked in the order they are defined, so you have complete control over the filter chain which is applied to a particular URL.
SecurityContextPersistenceFilter
s in the filter chain (ASC
is short for allowSessionCreation
, a property of SecurityContextPersistenceFilter
). As web services will never present a jsessionid
on future requests, creating HttpSession
s for such user agents would be wasteful. If you had a high-volume application which required maximum scalability, we recommend you use the approach shown above. For smaller applications, using a single SecurityContextPersistenceFilter
(with its default allowSessionCreation
as true
) would likely be sufficient.FilterChainProxy
does not invoke standard filter lifecycle methods on the filters it is configured with. We recommend you use Spring’s application context lifecycle interfaces as an alternative, just as you would for any other Spring bean.DelegatingFilterProxy
with the name "springSecurityFilterChain". You should now be able to see that this is the name of the FilterChainProxy
which is created by the namespace.13.2.1 Bypassing the Filter Chain
You can use the attribute filters = "none"
as an alternative to supplying a filter bean list. This will omit the request pattern from the security filter chain entirely. Note that anything matching this path will then have no authentication or authorization services applied and will be freely accessible. If you want to make use of the contents of the SecurityContext
contents during a request, then it must have passed through the security filter chain. Otherwise the SecurityContextHolder
will not have been populated and the contents will be null.
13.3 Filter Ordering
The order that filters are defined in the chain is very important. Irrespective of which filters you are actually using, the order should be as follows:
ChannelProcessingFilter
, because it might need to redirect to a different protocol- ChannelProcessingFilter,因为它可能需要重定向到不同的协议
SecurityContextPersistenceFilter
, so aSecurityContext
can be set up in theSecurityContextHolder
at the beginning of a web request, and any changes to theSecurityContext
can be copied to theHttpSession
when the web request ends (ready for use with the next web request)- SecurityContextPersistenceFilter,因此可以在Web请求开始时在SecurityContextHolder中设置SecurityContext,并且当Web请求结束时(可以使用下一个Web请求准备好),可以将对SecurityContext的任何更改复制到HttpSession。
ConcurrentSessionFilter
, because it uses theSecurityContextHolder
functionality and needs to update theSessionRegistry
to reflect ongoing requests from the principal- ConcurrentSessionFilter,因为它使用SecurityContextHolder功能并需要更新SessionRegistry以反映来自主体的持续请求
- Authentication processing mechanisms -
UsernamePasswordAuthenticationFilter
,CasAuthenticationFilter
,BasicAuthenticationFilter
etc - so that theSecurityContextHolder
can be modified to contain a validAuthentication
request token - 身份验证处理机制 - UsernamePasswordAuthenticationFilter,CasAuthenticationFilter,BasicAuthenticationFilter等 - 以便可以修改SecurityContextHolder以包含有效的身份验证请求令牌
- The
SecurityContextHolderAwareRequestFilter
, if you are using it to install a Spring Security awareHttpServletRequestWrapper
into your servlet container - SecurityContextHolderAwareRequestFilter,如果您使用它将Spring安全感知HttpServletRequestWrapper安装到您的servlet容器中
- The
JaasApiIntegrationFilter
, if aJaasAuthenticationToken
is in theSecurityContextHolder
this will process theFilterChain
as theSubject
in theJaasAuthenticationToken
- JaasApiIntegrationFilter,如果JaasAuthenticationToken位于SecurityContextHolder中,则会将FilterChain作为JaasAuthenticationToken中的Subject进行处理
RememberMeAuthenticationFilter
, so that if no earlier authentication processing mechanism updated theSecurityContextHolder
, and the request presents a cookie that enables remember-me services to take place, a suitable rememberedAuthentication
object will be put there- RememberMeAuthenticationFilter,这样如果没有更早的身份验证处理机制更新SecurityContextHolder,并且请求提供了一个启用记住我服务的cookie,那么一个合适的记忆身份验证对象将放在那里
AnonymousAuthenticationFilter
, so that if no earlier authentication processing mechanism updated theSecurityContextHolder
, an anonymousAuthentication
object will be put there- AnonymousAuthenticationFilter,这样如果没有更早的身份验证处理机制更新SecurityContextHolder,那么匿名身份验证对象将被放在那里
ExceptionTranslationFilter
, to catch any Spring Security exceptions so that either an HTTP error response can be returned or an appropriateAuthenticationEntryPoint
can be launched- ExceptionTranslationFilter,用于捕获任何Spring Security异常,以便可以返回HTTP错误响应或启动相应的AuthenticationEntryPoint
FilterSecurityInterceptor
, to protect web URIs and raise exceptions when access is denied- FilterSecurityInterceptor,用于保护Web URI并在访问被拒绝时引发异常
Spring Security(三十七):Part IV. Web Application Security的更多相关文章
- Web Application Security(Web应用安全)
Web Application Security 1.web应用面临的主要安全问题 1)黑客入侵:撞库拖库.网页篡改.后门木马.加密勒索.数据泄露 2)恶意内容 2.web应用安全现状 1)网站安全问 ...
- 第三百三十七节,web爬虫讲解2—PhantomJS虚拟浏览器+selenium模块操作PhantomJS
第三百三十七节,web爬虫讲解2—PhantomJS虚拟浏览器+selenium模块操作PhantomJS PhantomJS虚拟浏览器 phantomjs 是一个基于js的webkit内核无头浏览器 ...
- ABP源码分析三十七:ABP.Web.Api Script Proxy API
ABP提供Script Proxy WebApi为所有的Dynamic WebApi生成访问这些WebApi的JQuery代理,AngularJs代理以及TypeScriptor代理.这些个代理就是j ...
- ModSecurity web application firewall (WAF) Research
catalog . 引言 . OWASP ModSecurity Core Rule Set (CRS) Project . Installation mod_security for Apache ...
- WEB APPLICATION PENETRATION TESTING NOTES
此文转载 XXE VALID USE CASE This is a nonmalicious example of how external entities are used: <?xml v ...
- Spring Security(二十八):9.4 Authentication in a Web Application
Now let’s explore the situation where you are using Spring Security in a web application (without we ...
- spring security源码分析之web包分析
Spring 是一个非常流行和成功的 Java 应用开发框架.Spring Security 基于 Spring 框架,提供了一套 Web 应用安全性的完整解决方案.一般来说,Web 应用的安全性包括 ...
- 风炫安全web安全学习第三十七节课 15种上传漏洞讲解(二)
风炫安全web安全学习第三十七节课 15种上传漏洞讲解(二) 05后缀名黑名单校验之上传.htaccess绕过 还是使用黑名单,禁止上传所有web容器能解析的脚本文件的后缀 $is_upload = ...
- Understanding Spring Web Application Architecture: The Classic Way--转载
原文地址:http://www.petrikainulainen.net/software-development/design/understanding-spring-web-applicatio ...
随机推荐
- C#线程安全使用(二)
刚才想了半天文章应该起什么名字,最后决定起名为<线程安全使用>,线程安全这个词很难理解,感觉就像托管这词一样,但是托管翻译成英文是managed,我通常把他翻译成被管理,这样就好理解多了, ...
- ASP.NET Core 2.1 : 十三.httpClient.GetAsync 报SSL错误的问题
不知什么时候 ,出现了这样的一个奇怪问题,简单的httpClient.GetAsync("xxxx")居然报错了.(ASP.NET Core 系列目录) 一.问题描述 把原来的程序 ...
- REST API设计指导——译自Microsoft REST API Guidelines(二)
由于文章内容较长,只能拆开发布.翻译的不对之处,请多多指教. 另外:最近团队在做一些技术何架构的研究,视频教程只能争取周末多录制一点,同时预计在下周我们会展开一次直播活动,内容围绕容器技术这块. 所有 ...
- eclipse svn插件卸载 重新安装 Subclipse卸载安装 The project was not built since its build path is incomplete This client is too old to work with the working copy at
安装插件的原则就是,要按照规则,插件与本地的svn版本要一致, 这样子本地和eclipse上面就可以无缝使用,不会出现问题 1.卸载eclipse svn插件 2,安装新版的svn插件 2.1,下载 ...
- .Net语言 APP开发平台——Smobiler学习日志:获取或存储图像路径设置
ResourcePath属性 一.属性介绍 获取或设置图像存储路径,默认设置为“image”,表示的ResourcePath是在程序运行路径下的Image文件夹(bin\Debug\Image): 该 ...
- C#工具:利用HttpClient调用WebApi
可以利用HttpClient来进行Web Api的调用.由于WebA Api的调用本质上就是一次普通的发送请求与接收响应的过程, 所有HttpClient其实可以作为一般意义上发送HTTP请求的工具. ...
- Vue移动端项目模板
一个集成移动端开发插件的Vue移动端模板包含1.css: 使用stylus开发css 集成reset样式文件 修改UI组件文件 统一样式处理(如主题色等)2.UI组件 使用热门的vant与mint-u ...
- 深海中的STL—mt19937
mt19937 当你第一眼看到这玩意儿的时候 肯定禁不住吐槽:纳尼?这是什么鬼? 确实,这个东西鲜为人知,但是它却有着卓越的性能 简介 mt19937是c++11中加入的新特性 它是一种随机数算法,用 ...
- css direction 属性简介与实际应用。
目前正在用vue构建组件库.写到弹框的时候没想到按钮的顺序问题,但是在应用中,确实会有选项按钮顺序不同的情况发生,但是又想共用一个组件.那么问题就出现了.后来看到了这篇文章,才茅塞顿开. direct ...
- iOS ----------各种判断
iOS 判断数字 - (BOOL) deptNumInputShouldNumber:(NSString *)str { if (str.length == 0) { return NO; } NSS ...