Monday, June 11, 2018

Spring Security alters request URI

By Hường Hana 9:00 AM , , Leave a Comment

I integrated Spring Security into an existing Spring Boot project (Version: 1.5.3.RELEASE).

Before the integration, we've got our redirect informations from a request via getRequestURI in a preHandle method which extends HandlerInterceptorAdapater.

The Request URI is correctly pointing to their path (for example: /admin/login).

After the integration, the request URI is pointing to the complete path of the jsp.

In addition, we've registered a ContextUtil class to ConfigurableApplicationContext for further URI checkings. In this class, we fetch the request like this:

public HttpServletRequest getCurrentRequest() {     final ServletRequestAttributes servletRequestAttributes =      (ServletRequestAttributes)      RequestContextHolder.currentRequestAttributes();     return servletRequestAttributes.getRequest(); }

but the URI is also to its "physical path" under /WEB-INF/

For example: GET Request is pointing to /WEB-INF/pages/admin/admin_login.jsp:

My WebSecurityConfig Class is :

@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter {     @Override     protected void configure(HttpSecurity http) throws Exception     {         //jeden Aufruf akzeptieren. Authorisierung und      Authentifizierung von Spring Security wird nicht genutzt     http.authorizeRequests().antMatchers("/").permitAll(); }      @Override     public void configure(WebSecurity web) throws Exception     {     web.ignoring().antMatchers("/resources/**", "/css/**", "/js/**",      "/img/**", "resources/*", "/WEB-INF/**").and().debug(true);     } }

Relevant applicationContext.xml parts:

<mvc:default-servlet-handler/> <mvc:annotation-driven/> <mvc:resources mapping="/resources/**" location="classpath:/WEB-INF/resources/" />  <mvc:interceptors>     <bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">         <property name="paramName" value="lang" />     </bean>     <bean class="de.abc.xyu.zzz.interceptor.RedirectInterceptor" /> </mvc:interceptors>  <bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">     <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />     <property name="prefix" value="/WEB-INF/pages/" />     <property name="suffix" value=".jsp" />     <property name="redirectHttp10Compatible" value="false" /> </bean>

Debug Log from Spring Security:

Request received for GET '/admin/login':

org.apache.catalina.connector.RequestFacade@70ad489

servletPath:/admin/login pathInfo:null headers: host: localhost:8081 connection: keep-alive cache-control: max-age=0 user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 upgrade-insecure-requests: 1 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 referer: http://localhost:8081/admin/login accept-encoding: gzip, deflate, br accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 cookie: JSESSIONID=AE07684D485DA698F1AA4DFE056D5B3A; JSESSIONID=0819B947A685FE3362F23E39CE999D3B

Security filter chain: [ WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter HeaderWriterFilter CsrfFilter
LogoutFilter RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter SessionManagementFilter
ExceptionTranslationFilter FilterSecurityInterceptor ]

[http-nio-8081-exec-1] INFO Spring Security Debugger -

Request received for GET '/WEB-INF/pages/admin/admin_login.jsp':

SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.context.HttpSessionSecurityContextRepository$Servlet3SaveToSessionRequestWrapper@2eac9514]

servletPath:/WEB-INF/pages/admin/admin_login.jsp pathInfo:null headers: host: localhost:8081 connection: keep-alive cache-control: max-age=0 user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 upgrade-insecure-requests: 1 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 referer: http://localhost:8081/admin/login accept-encoding: gzip, deflate, br accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 cookie: JSESSIONID=AE07684D485DA698F1AA4DFE056D5B3A; JSESSIONID=0819B947A685FE3362F23E39CE999D3B

Security filter chain: [] empty (bypassed by security='none')

Why is the request pointing to its physical path under /WEB-INF/pages/login.jsp instead of its resolved path and how can we achieve it, that we get the "correct" URI?

1 Answers

Answers 1

Eventually this worked for me:

final ServletRequestAttributes servletRequestAttributes =      (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();  System.out.println("REQUEST URI: " +      servletRequestAttributes.getRequest()          .getAttribute("javax.servlet.forward.request_uri"));

That gives the real request URI, not its "physical path" under /WEB-INF/.

If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment