我的要求是仅保护登录页面以保护用户凭据。登录成功后,用户可以访问受限页面,但采用http方式。 由于 SSL 过载,这是一项要求。用户需要访问包含大量数据的 protected 页面。
我想知道是否可以这样做,尽管它不如维护 https 上下文那么安全。
这是我的配置:
<security:http auto-config="true">
<security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
<security:intercept-url pattern="/welcome*" access="ROLE_USER, ROLE_ADMIN" />
<security:form-login login-page="/login" authentication-failure-handler-ref="customAuthenticationFailureHandler" default-target-url="/welcome" />
<security:access-denied-handler ref="openIdAuthFailureHandler"/>
</security:http>
如果我尝试将/login 设置为 https,则一切都处于 https 模式。我怎样才能做到这一点?
编辑:
正如 s.kwiotek 建议的那样,我将 require-channel="http"添加到其他 url 模式中:
<security:http auto-config="true">
<security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
<security:intercept-url pattern="/welcome*" access="ROLE_USER, ROLE_ADMIN" requires-channel="http"/>
<security:intercept-url pattern="/user/*" access="ROLE_USER, ROLE_ADMIN" requires-channel="http" />
<security:intercept-url pattern="/rest/*" access="ROLE_USER, ROLE_ADMIN" requires-channel="http" />
<security:intercept-url pattern="/admin/*" access="ROLE_ADMIN" requires-channel="http" />
<security:session-management session-fixation-protection="none"/>
<security:port-mappings>
<security:port-mapping http="8080" https="8443"/>
</security:port-mappings>
<security:form-login login-page="/login" authentication-failure-handler-ref="customAuthenticationFailureHandler" always-use-default-target="true" default-target-url="/user/home" />
<security:logout logout-success-url="/" />
<security:access-denied-handler ref="openIdAuthFailureHandler"/>
</security:http>
我添加了 session-fixation-protection="none"因为如果我只包含requires-channel="http"它就不会进一步登录。我尝试登录,但又回到登录状态。
如果我添加 session 固定保护,它将进入用户的家,但在第二次登录尝试时。当您访问/myapp/login 时,会创建两个 jsessionid:
JSESSIONID=5B37413F33DF0AA45F31D711754C3704; path=/myapp; domain=localhost
JSESSIONID=658F9F8669AF6B296A77D448C1A64B71; path=/myapp/; domain=localhost; HttpOnly
然后我尝试登录并返回登录,但网址不同:
https://myapp/login;jsessionid=C1EC352C42D6AC379DB1B65A9295E8A1
当 jsessionid 位于 URL 中时,我尝试登录并成功重定向到用户的主页 (/user/home)。如果我删除 session 固定保护,jessesionid 位于 URL 中,但我没有成功重定向到用户的主页。
我不知道谁创建了前两个 jsessionid 以及如何解释这种行为。我唯一想做的就是通过 ssl 保护登录,然后通过 http 访问。
最佳答案
(这应该是一条评论。但我的帐户声誉有限。)
您可能需要重新考虑允许以 http 模式访问受限页面。
根据http://www.troyhunt.com/2011/11/owasp-top-10-for-net-developers-part-9.html ,
Many people think of TLS as purely a means of encrypting sensitive user data in transit. For example, you’ll often see login forms posting credentials over HTTPS then sending the authenticated user back to HTTP for the remainder of their session. The thinking is that once the password has been successfully protected, TLS no longer has a role to play. The example above shows that entire authenticated sessions need to be protected, not just the credentials in transit. This is a lesson taught by Firesheep last year and is arguably the catalyst for Facebook implementing the option of using TLS across authenticated sessions.
关于spring - 在 Spring security 中是否可以仅使用 HTTPS 进行登录?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28341645/