在集成之前,我们通过扩展HandlerInterceptorAdapater的preHandle方法从请求中获取重定向信息,其中请求URI正确指向其路径(例如:/admin/login)。
集成后,请求URI指向jsp的完整路径。
此外,我们为ConfigurableApplicationContext注册了一个ContextUtil类以进行进一步的URI检查。在这个类中,我们像这样获取请求:
public HttpServletRequest getCurrentRequest()
{
final ServletRequestAttributes servletRequestAttributes =
(ServletRequestAttributes)
RequestContextHolder.currentRequestAttributes();
return servletRequestAttributes.getRequest();
}
但是URI也指向其在/WEB-INF/下的“物理路径”。
例如: GET请求指向/WEB-INF/pages/admin/admin_login.jsp:
我的WebSecurityConfig类为:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity http) throws Exception
{
//jeden Aufruf akzeptieren. Authorisierung und
Authentifizierung von Spring Security wird nicht genutzt
http.authorizeRequests().antMatchers("/").permitAll();
}
@Override
public void configure(WebSecurity web) throws Exception
{
web.ignoring().antMatchers("/resources/**", "/css/**", "/js/**",
"/img/**", "resources/*", "/WEB-INF/**").and().debug(true);
}
}
相关的 applicationContext.xml 部分:
<mvc:default-servlet-handler/>
<mvc:annotation-driven/>
<mvc:resources mapping="/resources/**" location="classpath:/WEB-INF/resources/" />
<mvc:interceptors>
<bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang" />
</bean>
<bean class="de.abc.xyu.zzz.interceptor.RedirectInterceptor" />
</mvc:interceptors>
<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/pages/" />
<property name="suffix" value=".jsp" />
<property name="redirectHttp10Compatible" value="false" />
</bean>
Spring Security 的调试日志:
收到 GET '/admin/login' 请求:
收到GET请求'/WEB-INF/pages/admin/admin_login.jsp':org.apache.catalina.connector.RequestFacade@70ad489
servletPath:/admin/login pathInfo:null headers: host: localhost:8081 connection: keep-alive cache-control: max-age=0 user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 upgrade-insecure-requests: 1 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 referer: http://localhost:8081/admin/login accept-encoding: gzip, deflate, br accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 cookie: JSESSIONID=AE07684D485DA698F1AA4DFE056D5B3A; JSESSIONID=0819B947A685FE3362F23E39CE999D3B
安全过滤器链:[ WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter HeaderWriterFilter CsrfFilter
LogoutFilter RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter SessionManagementFilter
ExceptionTranslationFilter FilterSecurityInterceptor ]
[http-nio-8081-exec-1]信息 Spring Security Debugger -
这是一个与安全相关的请求包装器,它使用了Spring框架中的SecurityContextHolder。其中servletPath表示路径,headers表示请求头信息。Security filter chain为空,表示安全功能被绕过了。SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.context.HttpSessionSecurityContextRepository$Servlet3SaveToSessionRequestWrapper@2eac9514]
servletPath:/WEB-INF/pages/admin/admin_login.jsp pathInfo:null headers: host: localhost:8081 connection: keep-alive cache-control: max-age=0 user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 upgrade-insecure-requests: 1 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 referer: http://localhost:8081/admin/login accept-encoding: gzip, deflate, br accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 cookie: JSESSIONID=AE07684D485DA698F1AA4DFE056D5B3A; JSESSIONID=0819B947A685FE3362F23E39CE999D3B
Security filter chain: [] empty (bypassed by security='none')
为什么请求指向/WEB-INF/pages/login.jsp下的物理路径而不是解析后的路径,我们该如何实现获取“正确”的URI?