該賞金過期2天。回答這個問題有資格獲得 50聲望獎勵。 kc2001正在尋找這個問題的最新答案。
我是 Spring Boot 和 Spring Security 的新手,并且繼承了使用它們的 webapp 專案。我們將把 webapp 遷移到一個新的部署環境。我們將要改變的一件事是身份驗證機制,以便它可以在新環境中運行。同時,我想使用一些現有的 PostMan 測驗來運行 REST 端點,繞過安全性。基本上,我想暫時禁用安全性。
我有一個提供全域方法級別安全性的類:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
// ...
}
我有多個控制器類,例如,一個提供有關用戶資訊的類:
@RestController
public class UserController {
@ApiOperation(value = "Gets the list of users for an admin.")
@PreAuthorize("#oauth2.hasScope('dashboard') and #oauth2.hasScope('read') and hasRole('ROLE_SYSADMIN')")
@GetMapping(value = "/user/list", produces = MediaType.APPLICATION_JSON_VALUE)
@AuditAccess(message = "Accessing /user/list")
public ResponseEntity<List<UserResponse>> getUserList() {
// ...
}
// ...
}
如果我嘗試運行 PostMan 測驗,它們會失敗,因為我的本地測驗環境中沒有設定身份驗證機制。我繞過安全性的第一次嘗試是注釋掉該@EnableGlobalMethodSecurity行,但這導致運行時錯誤,大概是由于 @PreAuthorize方法上的注釋。如果我也注釋掉這些,我就可以運行測驗。但是,有許多這樣的注釋分布在許多檔案中。我寧愿不評論所有這些;我寧愿暫時替換方法安全性的“什么都不做”版本。這是我的嘗試:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
/**
* This class is designed to let everything pass the method filter, i.e.,
* effectively removing method level security.
*/
class DoNothingMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
public Object filter(Object filterTarget, Expression filterExpression, EvaluationContext ctx) {
return filterTarget;
}
@Override
public void setReturnObject(Object returnObject, EvaluationContext ctx) {
// do nothing
}
}
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
MethodSecurityExpressionHandler doNothingHandler =
new DoNothingMethodSecurityExpressionHandler();
return doNothingHandler;
// TODO restore below
// return new OAuth2MethodSecurityExpressionHandler();
}
}
如果我嘗試運行 PostMan 測驗
GET http://localhost:8080/myapp/user/list
我收到一個錯誤:
2021-12-21 06:28:14,252 INFO [stdout] (default task-1) Request: http://localhost:8080/myapp/user/list }raised
2021-12-21 06:28:14,253 INFO [stdout] (default task-1) org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
2021-12-21 06:28:14,254 INFO [stdout] (default task-1) at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:379) ~[spring-security-core-5.3.1.RELEASE.jar:5.3.1.RELEASE]
2021-12-21 06:28:14,254 INFO [stdout] (default task-1) at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:223) ~[spring-security-core-5.3.1.RELEASE.jar:5.3.1.RELEASE]
2021-12-21 06:28:14,254 INFO [stdout] (default task-1) at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:65) ~[spring-security-core-5.3.1.RELEASE.jar:5.3.1.RELEASE]
2021-12-21 06:28:14,255 INFO [stdout] (default task-1) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.2.5.RELEASE.jar:5.2.5.RELEASE]
2021-12-21 06:28:14,255 INFO [stdout] (default task-1) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749) ~[spring-aop-5.2.5.RELEASE.jar:5.2.5.RELEASE]
2021-12-21 06:28:14,256 INFO [stdout] (default task-1) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:95) ~[spring-aop-5.2.5.RELEASE.jar:5.2.5.RELEASE]
2021-12-21 06:28:14,257 INFO [stdout] (default task-1) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.2.5.RELEASE.jar:5.2.5.RELEASE]
2021-12-21 06:28:14,257 INFO [stdout] (default task-1) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749) ~[spring-aop-5.2.5.RELEASE.jar:5.2.5.RELEASE]
2021-12-21 06:28:14,257 INFO [stdout] (default task-1) at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:691) ~[spring-aop-5.2.5.RELEASE.jar:5.2.5.RELEASE]
2021-12-21 06:28:14,258 INFO [stdout] (default task-1) at mycompany.rest.controller.UserController$$EnhancerBySpringCGLIB$$f2b6b566.getUserList(<generated>) ~[classes:?]
2021-12-21 06:28:14,259 INFO [stdout] (default task-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_271]
2021-12-21 06:28:14,259 INFO [stdout] (default task-1) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_271]
2021-12-21 06:28:14,260 INFO [stdout] (default task-1) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_271]
2021-12-21 06:28:14,260 INFO [stdout] (default task-1) at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_271]
2021-12-21 06:28:14,260 INFO [stdout] (default task-1) at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190) ~[spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE]
2021-12-21 06:28:14,261 INFO [stdout] (default task-1) at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138) ~[spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE]
2021-12-21 06:28:14,261 INFO [stdout] (default task-1) at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105) ~[spring-webmvc-5.2.5.RELEASE.jar:5.2.5.RELEASE]
2021-12-21 06:28:14,263 INFO [stdout] (default task-1) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:879) ~[spring-webmvc-5.2.5.RELEASE.jar:5.2.5.RELEASE]
2021-12-21 06:28:14,264 INFO [stdout] (default task-1) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:793) ~[spring-webmvc-5.2.5.RELEASE.jar:5.2.5.RELEASE]
2021-12-21 06:28:14,265 INFO [stdout] (default task-1) at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.2.5.RELEASE.jar:5.2.5.RELEASE]
2021-12-21 06:28:14,265 INFO [stdout] (default task-1) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040) ~[spring-webmvc-5.2.5.RELEASE.jar:5.2.5.RELEASE]
2021-12-21 06:28:14,266 INFO [stdout] (default task-1) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943) ~[spring-webmvc-5.2.5.RELEASE.jar:5.2.5.RELEASE]
出于某種原因,我們仍在嘗試進行身份驗證。
This question is similar to some others (Spring Boot 2.0 Disable Default Security, Spring Oauth2 : Authentication Object was not found in the SecurityContext, and An Authentication object was not found in the SecurityContext - Spring 3.2.2), but involves different versions and a different use case. I haven't been able to figure out how to apply those answers to my situation. My Spring environment includes:
<spring.version>5.2.5.RELEASE</spring.version>
<spring.oath2.version>2.4.1.RELEASE</spring.oath2.version>
<spring.boot.version>2.2.6.RELEASE</spring.boot.version>
<spring.jwt.version>1.1.0.RELEASE</spring.jwt.version>
<spring.security.version>5.3.1.RELEASE</spring.security.version>
What would be an easy way to bypass security?
uj5u.com熱心網友回復:
測驗的“切換”代碼(取消/評論)是不行的!(在“嚴格的團隊”中,您甚至可能不會提交注釋代碼!-> sonarqube)
在復雜(分布式)環境中,擁有(彈簧)@Profile("test")(例如關閉安全性),聽起來絕對合法!
仍然[非常好 - 必不可少](單元 集成)測驗您的安全性( 配置)!
Spring Security 5.5.x 參考檔案,第 19 章測驗
本節介紹 Spring Security 提供的測驗支持。
19.1. 測驗方法安全
在我們可以使用 Spring Security Test 支持之前,我們必須執行一些設定。一個例子可以在下面看到:
@RunWith(SpringJUnit4ClassRunner.class) // 1. @ContextConfiguration // 2. public class WithMockUserTests { ...
(我們可以合二為一:@SpringBootTest;)
這是如何設定 Spring Security Test 的基本示例。亮點是:
@RunWith指示 spring-test 模塊它應該創建一個 ApplicationContext。這與使用現有的 Spring Test 支持沒有什么不同。有關其他資訊,請參閱Spring 參考@ContextConfiguration指示 spring-test 用于創建 ApplicationContext 的配置。由于未指定配置,將嘗試默認配置位置。這與使用現有的 Spring Test 支持沒有什么不同。有關其他資訊,請參閱Spring 參考Spring Security 使用 掛鉤到 Spring Test 支持,
WithSecurityContextTestExecutionListener這將確保我們的測驗與正確的用戶一起運行。它通過SecurityContextHolder在運行我們的測驗之前填充之前來做到這一點。如果您使用反應式方法安全性,您還需要ReactorContextTestExecutionListenerwhich populatesReactiveSecurityContextHolder。測驗完成后,它將清除SecurityContextHolder. 如果只需要 Spring Security 相關的支持,可以替換@ContextConfiguration為@SecurityTestExecutionListeners.請記住,我們將
@PreAuthorize注釋添加到我們的HelloMessageService,因此它需要經過身份驗證的用戶才能呼叫它。如果我們運行以下測驗,我們預計以下測驗將通過:@Test(expected = AuthenticationCredentialsNotFoundException.class) public void getMessageUnauthenticated() { messageService.getMessage(); }
(測驗預期(身份驗證)例外!),所以之一:
19.1.2. @WithMockUser
...
19.1.3. @WithAnonymousUser
...
19.1.4. @WithUserDetails
...
19.1.5. @WithSecurityContext
...
19.1.6. 測驗元注釋
...以及本章/參考的其余部分將很有用。
uj5u.com熱心網友回復:
@EnableGlobalMethodSecurity您可以保留它而不是洗掉它,但只需禁用它的prePostEnabled.
但是,它需要至少有一個下列使能(見本的詳細說明):
- prePostEnabled(對于啟用
@PreAuthorize/@PreFilter/@PostAuthorize/@PostFilter) - SecuredEnabled(用于啟用
@Secured) - jsr250Enabled(用于啟用 JSR-250 注釋,例如
@DenyAll,@PermitAll,@RolesAllowed) - 定義自定義
MethodSecurityMetadataSource
由于您只prePostEnabled在現有配置中啟用,我相信您現在不應該@Secured在任何方法上使用 any和 JSR-250 注釋。
因此,以下技巧應該@PreAuthorize僅在保持其他內容不變的情況下才禁用:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = false, securedEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
}
或者
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = false, jsr250Enabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
}
uj5u.com熱心網友回復:
您可以嘗試設定 prePostEnabled = false,然后使用類似的方法洗掉 WebSecurityConfigurerAdapter 實作中的任何身份驗證過濾器
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf().disable().authorizeRequests()
.anyRequest().permitAll();
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/qukuanlian/400158.html
