java - Spring Boot Security:适用于 Windows,但不适用于 Docker/Alpine
问题描述
我有一个庞大的、遗留的定制 CMS,需要移植到 Docker。它最初在 Tomcat 6 / Ubuntu 14 中作为 WAR 部署,但我(非常耐心)设法让这个东西作为独立 JAR 运行(根据公司要求)。代码(与所有遗留项目一样)丑陋且笨拙。
这在我的 Windows 机器上运行良好(足够好):
mvn clean install && java -jar target/appname-1.0.12-SNAPSHOT.jar --spring.profiles.active=qa
这让我运行了一个实例,如果我在我的浏览器中加载,它会授予我对多个页面的未经授权的访问权限,并且需要其他人登录。基本上是一个功能齐全的版本。
我在 Alpine 上看到的症状(以及在 OSX 上的简短运行)如下:
- Spring Boot 执行器端点按预期工作(在文件夹下
/actuator
) - 已明确列入白名单的任何其他端点都会给出 404。
- 所有未列入白名单的端点 302 都按预期重定向到登录页面,但它本身给出了 404 未找到。
我将发布整个 POM(已编辑部分)和整个扩展类WebSecurityConfigurerAdapter
,即使它们很长 - 我为此道歉,但可能是更清晰的眼睛会发现一些明显的东西。
主应用程序类很空,它用@SpringBootApplication
和注释@ComponentScan
扩展 WebSecurityConfigurerAdapter 的类:
package com.REDACTED.app.config;
import com.REDACTED.app.authentication.AjaxAwareLoginUrlAuthenticationEntryPoint;
import com.REDACTED.app.authentication.CmsPermissionEvaluator;
import com.REDACTED.app.authentication.REDACTEDRedeemAuthenticationProvider;
import com.REDACTED.app.authentication.REDACTEDRetrievalFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration
.WebSecurityConfigurerAdapter;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.authentication.*;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
public static final String LOGIN = "/login";
public static final String LOGOUT = "/logout";
public static final String DEFAULT_TARGET_URL = "/";
public static final String DEFAULT_FAILURE_URL = "/login?login_error=true";
public static final String[] allowedPaths =
new String[] {"/login**", "/assets/**", "/REDACTED_security_check**", "/connect",
"/error/**", "/resources/**", "/status**", "/server**", "/404.html", "/actuator/**"
};
// INFO [REDACTED] ... hmmm, can this bean be declared in this class AND autowired here?? Why, yes. Yes it can.
// It does seem a little dodgy.
@Autowired
private LoginUrlAuthenticationEntryPoint loginUrlAuthenticationEntryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(allowedPaths)
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage(LOGIN)
.failureUrl(DEFAULT_FAILURE_URL)
.and()
.logout()
.invalidateHttpSession(true)
.logoutUrl(LOGOUT)
.logoutSuccessUrl(DEFAULT_TARGET_URL).permitAll()
.and()
.exceptionHandling().accessDeniedPage("/error/403")
.and()
.csrf().disable();
http.httpBasic()
.authenticationEntryPoint(loginUrlAuthenticationEntryPoint);
super.configure(http);
}
@Bean
AjaxAwareLoginUrlAuthenticationEntryPoint loginUrlAuthenticationEntryPoint() {
return new AjaxAwareLoginUrlAuthenticationEntryPoint(LOGIN);
}
@Bean
REDACTEDRedeemAuthenticationProvider connectAuthenticationProvider() {
return new REDACTEDRedeemAuthenticationProvider();
}
@Bean
REDACTEDRetrievalFilter REDACTEDRetrievalFilter(
AuthenticationManager authenticationManager, AuthenticationFailureHandler failureHandler,
AuthenticationSuccessHandler successHandler) {
REDACTEDRetrievalFilter ctrf = new REDACTEDRetrievalFilter();
ctrf.setAuthenticationManager(authenticationManager);
ctrf.setAuthenticationFailureHandler(failureHandler);
ctrf.setAuthenticationSuccessHandler(successHandler);
return ctrf;
}
@Bean
SavedRequestAwareAuthenticationSuccessHandler successHandler() {
SavedRequestAwareAuthenticationSuccessHandler sh =
new SavedRequestAwareAuthenticationSuccessHandler();
sh.setDefaultTargetUrl(DEFAULT_TARGET_URL);
return sh;
}
@Bean
SimpleUrlAuthenticationFailureHandler failureHandler() {
SimpleUrlAuthenticationFailureHandler fh = new SimpleUrlAuthenticationFailureHandler();
fh.setDefaultFailureUrl(DEFAULT_FAILURE_URL);
return fh;
}
@Bean
DefaultMethodSecurityExpressionHandler expressionHandler(
PermissionEvaluator permissionEvaluator) {
DefaultMethodSecurityExpressionHandler eh = new DefaultMethodSecurityExpressionHandler();
eh.setPermissionEvaluator(permissionEvaluator);
return eh;
}
@Bean
DefaultWebSecurityExpressionHandler webExpressionHandler(
PermissionEvaluator permissionEvaluator) {
DefaultWebSecurityExpressionHandler wh = new DefaultWebSecurityExpressionHandler();
wh.setPermissionEvaluator(permissionEvaluator);
return wh;
}
@Bean
CmsPermissionEvaluator permissionEvaluator() {
return new CmsPermissionEvaluator();
}
}
聚甲醛
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.REDACTED.app</groupId>
<artifactId>REDACTED</artifactId>
<version>1.0.13-SNAPSHOT</version>
<packaging>jar</packaging>
<name>REDACTED</name>
<description>REDACTED : CMS</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<!--
WARNING: updating the version any higher than 1.5.2.RELEASE WILL cause code issues.
Only do this if you have LOTS of time to chase version-dependent bugs.
-->
<version>1.5.2.RELEASE</version>
</parent>
<scm>
<url>https://bitbucket.org/REDACTED</url>
<connection>scm:git:ssh://git@bitbucket.org/REDACTED.git</connection>
<tag>REDACTED-1.0.6</tag>
</scm>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jersey</artifactId>
</dependency>
<!-- JSTL for JSP -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
</dependency>
<!-- Need this to compile JSP -->
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
</dependency>
<!-- Apache Commons -->
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.11</version>
</dependency>
<dependency>
<groupId>commons-net</groupId>
<artifactId>commons-net</artifactId>
<version>3.3</version>
</dependency>
<!-- File Download -->
<dependency>
<groupId>commons-httpclient</groupId>
<artifactId>commons-httpclient</artifactId>
<version>3.1</version>
</dependency>
<!-- File Upload -->
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3.1</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.0.1</version>
</dependency>
<!-- G.E.L.F Apender -->
<dependency>
<groupId>org.realityforge.gelf4j</groupId>
<artifactId>gelf4j</artifactId>
<version>1.8</version>
<scope>runtime</scope>
<exclusions>
<exclusion>
<artifactId>log4j</artifactId>
<groupId>log4j</groupId>
</exclusion>
</exclusions>
</dependency>
<!-- WS.RS -->
<dependency>
<groupId>javax.ws.rs</groupId>
<artifactId>javax.ws.rs-api</artifactId>
<version>2.0</version>
</dependency>
<!-- Jackson JSON Processor -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.8.3</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
<version>2.8.3</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.datatype</groupId>
<artifactId>jackson-datatype-joda</artifactId>
<version>2.8.3</version>
</dependency>
<dependency>
<artifactId>jackson-jaxrs-base</artifactId>
<groupId>com.fasterxml.jackson.jaxrs</groupId>
<version>2.8.3</version>
</dependency>
<dependency>
<artifactId>jackson-jaxrs-json-provider</artifactId>
<groupId>com.fasterxml.jackson.jaxrs</groupId>
<version>2.8.3</version>
</dependency>
<dependency>
<artifactId>jackson-annotations</artifactId>
<groupId>com.fasterxml.jackson.core</groupId>
<version>2.8.3</version>
</dependency>
<!-- Janino -->
<dependency>
<groupId>org.codehaus.janino</groupId>
<artifactId>janino</artifactId>
<version>${janino.version}</version>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.core</groupId>
<artifactId>jersey-common</artifactId>
<version>2.17</version>
<exclusions>
<exclusion>
<artifactId>javax.inject</artifactId>
<groupId>org.glassfish.hk2.external</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.core</groupId>
<artifactId>jersey-client</artifactId>
<version>2.17</version>
<exclusions>
<exclusion>
<artifactId>javax.inject</artifactId>
<groupId>org.glassfish.hk2.external</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.media</groupId>
<artifactId>jersey-media-json-jackson</artifactId>
<version>2.17</version>
<exclusions>
<exclusion>
<artifactId>javax.inject</artifactId>
<groupId>org.glassfish.hk2.external</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.media</groupId>
<artifactId>jersey-media-multipart</artifactId>
<version>2.17</version>
</dependency>
<!-- Joda Time -->
<dependency>
<groupId>joda-time</groupId>
<artifactId>joda-time</artifactId>
<version>2.3</version>
</dependency>
<!-- JSR 330 -->
<dependency>
<groupId>javax.inject</groupId>
<artifactId>javax.inject</artifactId>
<version>1</version>
</dependency>
<!-- CACHING -->
<dependency>
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache-core</artifactId>
<version>2.6.8</version>
</dependency>
<!-- Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
</dependency>
<!-- Test -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.easymock</groupId>
<artifactId>easymock</artifactId>
<version>3.6</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<!-- Spring boot -->
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<addResources>true</addResources>
<executable>true</executable>
<mainClass>com.dstvo.app.REDACTEDApplication</mainClass>
<additionalProperties>
<!-- for Spring actuator /info endpoint -->
<info.build.artifact>${project.artifactId}</info.build.artifact>
<info.build.version>${project.version}}</info.build.version>
</additionalProperties>
</configuration>
<executions>
<execution>
<goals>
<goal>repackage</goal>
</goals>
<configuration>
<mainClass>
com.dstvo.app.REDACTEDApplication
</mainClass>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>2.7</version>
<configuration>
<delimiters>
<delimiter>@</delimiter>
</delimiters>
<useDefaultDelimiters>false</useDefaultDelimiters>
</configuration>
</plugin>
<plugin>
<artifactId>maven-release-plugin</artifactId>
<version>2.4.2</version>
<dependencies>
<dependency>
<groupId>org.apache.maven.scm</groupId>
<artifactId>maven-scm-provider-gitexe</artifactId>
<version>1.8.1</version>
</dependency>
</dependencies>
</plugin>
</plugins>
<resources>
<resource>
<directory>src/main/webapp</directory>
</resource>
<!--
Something (?) is preventing spring-boot-starter-parent from passing the
project.version and project.artifactId to application.properties, this (and the
maven-resources-plugin above) is a workaround.
-->
<resource>
<directory>${basedir}/src/main/resources</directory>
<filtering>true</filtering>
<includes>
<include>**/application*.properties</include>
</includes>
</resource>
</resources>
</build>
<distributionManagement>
<repository>
<id>nexus</id>
<name>Releases</name>
<url>http://REDACTED/releases</url>
<uniqueVersion>false</uniqueVersion>
<layout>default</layout>
</repository>
<snapshotRepository>
<id>nexus</id>
<name>Snapshots</name>
<url>http://REDACTED/snapshots</url>
<uniqueVersion>false</uniqueVersion>
<layout>default</layout>
</snapshotRepository>
</distributionManagement>
</project>
最后是application.properties;还有一个 application-qa.properties 但它所做的只是列出大量用于远程 REST 调用的 URL。
spring.profiles.include=${spring.profiles.active}_monitoring
spring.mvc.view.prefix=/WEB-INF/pages/
spring.mvc.view.suffix=.jsp
spring.mvc.throw-exception-if-no-handler-found=true
#spring.resources.add-mappings=false
spring.jersey.type=filter
server.port=8080
server.error.whitelabel.enabled=true
# Actuators
management.context-path=/actuator
# for /info endpoint
info.build.artifact=@project.artifactId@
info.build.version=@project.version@
REDACTED.menuinterceptor.skip=false
我的怀疑是,它Jersey
的WebSecurityConfig
播放效果并不好,但这并不能解释它在 Windows 上的工作原理。
FWIW,这是调用非白名单 URL 的结果(即,它需要身份验证):
9/17/2018 12:45:54 PMPrincipal anonymousUser - AUTHORIZATION_FAILURE
9/17/2018 12:45:54 PM2018-09-17 10:45:54.464 INFO 1 --- [nio-8080-exec-9] c.d.a.a.LoginAttemptsLogger : * Remote IP address: 10.10.10.94
9/17/2018 12:45:54 PM2018-09-17 10:45:54.464 INFO 1 --- [nio-8080-exec-9] c.d.a.a.LoginAttemptsLogger : * Session Id: null
9/17/2018 12:45:54 PM2018-09-17 10:45:54.465 INFO 1 --- [nio-8080-exec-9] c.d.a.a.LoginAttemptsLogger : * Request URL: /doesnt-exist
对该页面的调用/login
不会在 Rancher 中为该 Docker 实例生成任何日志。
解决方案
推荐阅读
- java - 如何返回对调用函数的响应?(Android-App 通过 JSON 调用 Java REST-Server)
- php - 如何对数组元素基特定字符进行分组和排序
- firebase - 使用 FieldValue.serverTimestamp 和 Date.now 的区别
- javascript - 如果我在密码字段中添加 # 作为模式,如何禁用提交按钮
- java - 是否可以仅使用用户名和密码使用 GMail API 发送电子邮件?
- java - 如何从 NETBEANS 中的 jButton 生成的代码中删除 actionlistener
- python - 创建一个新变量,对不同范围内的值进行平均
- ios - 如何在自定义区域中创建 CKRecord 而无需指定记录名称?
- .net-core - 如何将“dotnet publish”与 pubxml 文件一起使用?
- angular7 - Angular 7:如何在 ts 文件中隐藏模式?