弹簧安全 - 多个配置 - 添加注销处理程序

security java spring spring-mvc spring-security

2022-09-03 15:29:25

我有一个使用弹簧安全性的弹簧启动应用程序。安全配置被拆分为多个 WebSecurityConfigurerAdapter 实例。

我有一个我通常配置注销的地方：

@Override
protected void configure(HttpSecurity http) throws Exception {

    // configure logout
    http
            .logout()
            .logoutUrl("/logout")
            .invalidateHttpSession(true)
            .addLogoutHandler((request, response, authentication) -> {
                System.out.println("logged out 1!");
            })
            .permitAll();

    // ... more security configuration, e.g. login, CSRF, rememberme
}

还有另一个WebSecurityConfigurerAdapter，除了添加另一个LogoutHandler之外，我几乎不想做任何事情：

@Override
protected void configure(HttpSecurity http) throws Exception {

    // configure logout
    http
            .logout()
            .logoutUrl("/logout")
            .addLogoutHandler((request, response, authentication) -> {
                System.out.println("logged out 2!");
            });
}

调用这两种方法。但是，如果我注销，则只调用第一个注销处理程序。更改这两种配置不会更改结果。configure()@Order

我的配置中缺少什么？

答案 1

当您创建多个安全配置时，Spring Boot 将为每个配置创建一个单独的 SecurityFilterChain。请参阅网络安全：

@Override
protected Filter performBuild() throws Exception {
    // ...
    for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : securityFilterChainBuilders) {
        securityFilterChains.add(securityFilterChainBuilder.build());
    }
    // ...
}

当应用程序收到注销请求时，FilterChainProxy将只返回一个SecurityFilterChain：

private List<Filter> getFilters(HttpServletRequest request) {
    for (SecurityFilterChain chain : filterChains) {
        // Only the first chain that matches logout request will be used:
        if (chain.matches(request)) {
            return chain.getFilters();
        }
    }

    return null;
}

如果您确实需要模块化安全配置，我建议为注销和其他领域创建单独的安全配置。您可以在不同的配置类中将注销处理程序定义为 Bean（使用注释），并在注销配置中收集这些处理程序：@Bean

WebSecurityLogoutConfiguration.java

@Configuration
@Order(99)
public class WebSecurityLogoutConfiguration extends WebSecurityConfigurerAdapter {

    // ALL YOUR LOGOUT HANDLERS WILL BE IN THIS LIST
    @Autowired
    private List<LogoutHandler> logoutHandlers;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // configure only logout
        http
                .logout()
                .logoutUrl("/logout")
                .invalidateHttpSession(true)
                // USE CompositeLogoutHandler
                .addLogoutHandler(new CompositeLogoutHandler(logoutHandlers));
        http.csrf().disable(); // for demo purposes
    }
}

网络安全1配置.java

@Configuration
@Order(101)
public class WebSecurity1Configuration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // ... more security configuration, e.g. login, CSRF, rememberme
        http.authorizeRequests()
                .antMatchers("/secured/**")
                .authenticated();
    }

    // LOGOUT HANDLER 1
    @Bean
    public LogoutHandler logoutHandler1() {
        return (request, response, authentication) -> {
            System.out.println("logged out 1!");
        };
    }
}

网络安全2配置.java

@Configuration
@Order(102)
public class WebSecurity2Configuration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/api/**")
                .permitAll();
    }

    // LOGOUT HANDLER 2
    @Bean
    public LogoutHandler logoutHandler2() {
        return (request, response, authentication) -> {
            System.out.println("logged out 2!");
        };
    }
}

答案 2

您应该使用单个操作终结点上的 CompositeLogoutHandler 解决此问题。/logout

您仍然可以根据需要保留两个WebSecurityConfigurerAdapter，但是您将把两个注销功能聚合到一个复合操作中：LogoutHandler

new CompositeLogoutHandler(loggedOutHandler1, loggedOutHandler2);