ssl - 如何忽略 Spring Security 和 SSL 的某些路径？

这是我的 Spring 配置:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class X509Configuration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/ws/items.wsdl");
    }

    @Override
    public void configure(final HttpSecurity http) throws Exception {
        http
            .sessionManagement()
                 .sessionCreationPolicy(SessionCreationPolicy.NEVER)
                 .and()
            .authorizeRequests()
                 .antMatchers("/ws/items.wsdl").permitAll()
                 .and()
            // require authorization for everything else
            .authorizeRequests()
                 .anyRequest().authenticated()
                 .and()
            .x509()
                 .subjectPrincipalRegex("CN=(.*?)(?:,|$)")
                 .userDetailsService(userDetailsService())
                 .and()
            .csrf().disable()

            // configure form login
            .formLogin().disable()

            // configure logout
            .logout().disable();
    }

    @Bean
    public UserDetailsService userDetailsService() {
        return new UserDetailsService() {
            @Override
            public UserDetails loadUserByUsername(String username) {
                if (username.equals("cid")) {
                    return new User(username, "",
                        AuthorityUtils
                                .commaSeparatedStringToAuthorityList("ROLE_USER"));
                }
                throw new UsernameNotFoundException("User not found!");
            }
        };
    }
}

这些是 SSL 设置:

server:
  port: 8443
  ssl:
    enabled: true
    key-store: 'classpath:keystore.jks'
    key-store-password: 'changeit'
    key-password: 'changeit'
    trust-store: 'classpath:truststore.jks'
    trust-store-password: 'changeit'
    client-auth: need

我想要的是忽略 SSL 或允许我的所有 WSDL 站点。但是使用此配置它不起作用。我收到以下错误:

http https://localhost:8443/ws/items.wsdl http: error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645) while doing GET request to URL: https://localhost:8443/ws/items.wsdl

我不想使用 ca 签名证书。 (使用签名证书它可以工作。) 我怎样才能做到这一点？我有哪些选择？

最佳答案

删除这个:

.authorizeRequests()
                 .antMatchers("/ws/items.wsdl").permitAll()

网络配置说忽略该路径，但您的 http 安全性说要通过身份验证对该路径发出请求。

关于ssl - 如何忽略 Spring Security 和 SSL 的某些路径？，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/40492809/

ssl - 如何忽略 Spring Security 和 SSL 的某些路径？

上一篇：.htaccess - 如何将所有 HTTPS 重定向到 HTTP

下一篇：ssl - 如何在 Erlang/YAWS 中启用 ssl/crypto