Spring Boot(1.2.6)とSpring Security(4.0.2)を使用しています。
セキュリティ構成は次のようになります。
@Configuration
@ConditionalOnWebApplication
@Profile("!integTest")
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@EnableWebSecurity
@EnableRedisHttpSession(maxInactiveIntervalInSeconds = 60 * 60 * 24 * 30)
class SecurityConfiguration extends WebSecurityConfigurerAdapter {
public static final String[] PROTECTED_RESOURCES = new String[] { "/user/abc" };
/*
* (non-Javadoc)
*
* @see org.springframework.security.config.annotation.web.configuration.
* WebSecurityConfigurerAdapter#configure(org.springframework.security.
* config.annotation.web.builders.HttpSecurity)
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(PROTECTED_RESOURCES)
.hasRole("USER")
.anyRequest()
.permitAll()
.and()
.anonymous().disable();
}
}
ただし、匿名ユーザーが保護されたリソース(/ user/abc)にアクセスすると、Spring Security Frameworkは403(アクセスが拒否されました)で応答します。
匿名ユーザーが保護されたURLにアクセスしているときにHTTP 401コードで応答するようにSpringを構成する方法を知りたいです。
以下は、DEBUG
にExceptionTranslationFilter
レベルを設定した後のログです。
2015-11-20 10:59:07.406 DEBUG 14542 --- [nio-8000-exec-1] o.s.web.servlet.DispatcherServlet : Initializing servlet 'dispatcherServlet'
2015-11-20 10:59:07.410 INFO 14542 --- [nio-8000-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet'
2015-11-20 10:59:07.411 INFO 14542 --- [nio-8000-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started
2015-11-20 10:59:07.412 DEBUG 14542 --- [nio-8000-exec-1] o.s.web.servlet.DispatcherServlet : Using MultipartResolver [org.springframework.web.multipart.support.StandardServletMultipartResolver@29e7e0b6]
2015-11-20 10:59:07.424 DEBUG 14542 --- [nio-8000-exec-1] o.s.web.servlet.DispatcherServlet : Unable to locate LocaleResolver with name 'localeResolver': using default [org.springframework.web.servlet.i18n.AcceptHeaderLocaleResolver@bf0f97a]
2015-11-20 10:59:07.434 DEBUG 14542 --- [nio-8000-exec-1] o.s.web.servlet.DispatcherServlet : Unable to locate ThemeResolver with name 'themeResolver': using default [org.springframework.web.servlet.theme.FixedThemeResolver@1189d7ae]
2015-11-20 10:59:07.453 DEBUG 14542 --- [nio-8000-exec-1] o.s.web.servlet.DispatcherServlet : Unable to locate RequestToViewNameTranslator with name 'viewNameTranslator': using default [org.springframework.web.servlet.view.DefaultRequestToViewNameTranslator@859e51c]
2015-11-20 10:59:07.466 DEBUG 14542 --- [nio-8000-exec-1] o.s.web.servlet.DispatcherServlet : Unable to locate FlashMapManager with name 'flashMapManager': using default [org.springframework.web.servlet.support.SessionFlashMapManager@18f8476f]
2015-11-20 10:59:07.466 DEBUG 14542 --- [nio-8000-exec-1] o.s.web.servlet.DispatcherServlet : Published WebApplicationContext of servlet 'dispatcherServlet' as ServletContext attribute with name [org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcherServlet]
2015-11-20 10:59:07.466 INFO 14542 --- [nio-8000-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 55 ms
2015-11-20 10:59:07.466 DEBUG 14542 --- [nio-8000-exec-1] o.s.web.servlet.DispatcherServlet : Servlet 'dispatcherServlet' configured successfully
2015-11-20 10:59:07.496 DEBUG 14542 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : /user/momentStats at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-11-20 10:59:07.497 DEBUG 14542 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : /user/momentStats at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-11-20 10:59:07.498 DEBUG 14542 --- [nio-8000-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2015-11-20 10:59:07.498 DEBUG 14542 --- [nio-8000-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2015-11-20 10:59:07.518 DEBUG 14542 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : /user/momentStats at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2015-11-20 10:59:07.519 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@96c224
2015-11-20 10:59:07.519 DEBUG 14542 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : /user/momentStats at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2015-11-20 10:59:07.519 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/momentstats'; against '/logout'
2015-11-20 10:59:07.520 DEBUG 14542 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : /user/momentStats at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2015-11-20 10:59:07.522 DEBUG 14542 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : /user/momentStats at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2015-11-20 10:59:07.524 DEBUG 14542 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : /user/momentStats at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2015-11-20 10:59:07.532 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2015-11-20 10:59:07.532 DEBUG 14542 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : /user/momentStats at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
2015-11-20 10:59:07.532 DEBUG 14542 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : /user/momentStats at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2015-11-20 10:59:07.532 DEBUG 14542 --- [nio-8000-exec-1] o.s.security.web.FilterChainProxy : /user/momentStats at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2015-11-20 10:59:07.533 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/momentstats'; against '/art/**/making'
2015-11-20 10:59:07.533 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/momentstats'; against '/orders/**/payment/wx'
2015-11-20 10:59:07.533 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/momentstats'; against '/user/momentstats'
2015-11-20 10:59:07.534 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /user/momentStats; Attributes: [authenticated]
2015-11-20 10:59:07.534 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2015-11-20 10:59:07.551 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@4d0267b0, returned: -1
2015-11-20 10:59:07.563 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.Java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.Java:232)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.Java:123)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.Java:90)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.Java:330)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.Java:114)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.Java:330)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.Java:122)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.Java:330)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.Java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.Java:330)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.Java:169)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.Java:330)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.Java:48)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.Java:330)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.Java:120)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.Java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.Java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.Java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.Java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.Java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.Java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.Java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.Java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.Java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.Java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.Java:176)
at org.Apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.Java:239)
at org.Apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.Java:206)
at io.vme.wechat.filter.SimpleCORSFilter.doFilterInternal(SimpleCORSFilter.Java:49)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.Java:107)
at org.Apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.Java:239)
at org.Apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.Java:206)
at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.Java:125)
at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.Java:65)
at org.Apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.Java:239)
at org.Apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.Java:206)
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.Java:77)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.Java:107)
at org.Apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.Java:239)
at org.Apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.Java:206)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.Java:85)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.Java:107)
at org.Apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.Java:239)
at org.Apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.Java:206)
at org.Apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.Java:219)
at org.Apache.catalina.core.StandardContextValve.invoke(StandardContextValve.Java:106)
at org.Apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.Java:502)
at org.Apache.catalina.core.StandardHostValve.invoke(StandardHostValve.Java:142)
at org.Apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.Java:79)
at org.Apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.Java:88)
at org.Apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.Java:518)
at org.Apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.Java:1091)
at org.Apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.Java:673)
at org.Apache.Tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.Java:1526)
at org.Apache.Tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.Java:1482)
at Java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.Java:1142)
at Java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.Java:617)
at org.Apache.Tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.Java:61)
at Java.lang.Thread.run(Thread.Java:745)
2015-11-20 10:59:07.565 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=Ant [pattern='/**/favicon.ico']]
2015-11-20 10:59:07.565 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/user/momentstats'; against '/**/favicon.ico'
2015-11-20 10:59:07.565 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.matcher.NegatedRequestMatcher : matches = true
2015-11-20 10:59:07.566 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@6036ed6e, matchingMediaTypes=[application/json], useEquals=false, ignoredMediaTypes=[*/*]]]
2015-11-20 10:59:07.584 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : httpRequestMediaTypes=[text/html, application/xhtml+xml, image/webp, application/xml;q=0.9, */*;q=0.8]
2015-11-20 10:59:07.584 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : Processing text/html
2015-11-20 10:59:07.584 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith text/html = false
2015-11-20 10:59:07.584 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : Processing application/xhtml+xml
2015-11-20 10:59:07.584 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith application/xhtml+xml = false
2015-11-20 10:59:07.584 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : Processing image/webp
2015-11-20 10:59:07.584 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith image/webp = false
2015-11-20 10:59:07.584 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : Processing application/xml;q=0.9
2015-11-20 10:59:07.584 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : application/json .isCompatibleWith application/xml;q=0.9 = false
2015-11-20 10:59:07.584 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : Processing */*;q=0.8
2015-11-20 10:59:07.584 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : Ignoring
2015-11-20 10:59:07.584 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.m.MediaTypeRequestMatcher : Did not match any media types
2015-11-20 10:59:07.584 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.matcher.NegatedRequestMatcher : matches = true
2015-11-20 10:59:07.584 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]]
2015-11-20 10:59:07.585 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.u.matcher.NegatedRequestMatcher : matches = true
2015-11-20 10:59:07.585 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.util.matcher.AndRequestMatcher : All requestMatchers returned true
2015-11-20 10:59:07.593 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.s.HttpSessionRequestCache : DefaultSavedRequest added to Session: DefaultSavedRequest[http://127.0.0.1:8000/user/momentStats]
2015-11-20 10:59:07.594 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
2015-11-20 10:59:07.595 DEBUG 14542 --- [nio-8000-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint : Pre-authenticated entry point called. Rejecting access
2015-11-20 10:59:07.595 DEBUG 14542 --- [nio-8000-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-11-20 10:59:07.772 DEBUG 14542 --- [nio-8000-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2015-11-20 10:59:07.784 DEBUG 14542 --- [nio-8000-exec-1] o.s.web.servlet.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/error]
2015-11-20 10:59:07.787 DEBUG 14542 --- [nio-8000-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Looking up handler method for path /error
2015-11-20 10:59:07.791 DEBUG 14542 --- [nio-8000-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Returning handler method [public io.vme.wechat.model.dto.ErrorDTO io.vme.wechat.controller.VMEErrorHandler.handleError(javax.servlet.http.HttpServletRequest)]
2015-11-20 10:59:07.794 DEBUG 14542 --- [nio-8000-exec-1] o.s.web.servlet.DispatcherServlet : Last-Modified value for [/error] is: -1
2015-11-20 10:59:08.011 DEBUG 14542 --- [nio-8000-exec-1] m.m.a.RequestResponseBodyMethodProcessor : Written [org.springframework.http.converter.json.MappingJacksonValue@663d36b1] as "application/json" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@68a39825]
2015-11-20 10:59:08.011 DEBUG 14542 --- [nio-8000-exec-1] o.s.web.servlet.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
2015-11-20 10:59:08.011 DEBUG 14542 --- [nio-8000-exec-1] o.s.web.servlet.DispatcherServlet : Successfully completed request
2015-11-20 10:59:08.480 DEBUG 14542 --- [nio-8000-exec-2] o.s.security.web.FilterChainProxy : /favicon.ico at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-11-20 10:59:08.481 DEBUG 14542 --- [nio-8000-exec-2] o.s.security.web.FilterChainProxy : /favicon.ico at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-11-20 10:59:08.493 DEBUG 14542 --- [nio-8000-exec-2] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2015-11-20 10:59:08.494 DEBUG 14542 --- [nio-8000-exec-2] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper$HttpSessionWrapper@5fc0b4a0. A new one will be created.
2015-11-20 10:59:08.494 DEBUG 14542 --- [nio-8000-exec-2] o.s.security.web.FilterChainProxy : /favicon.ico at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2015-11-20 10:59:08.494 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@96c224
2015-11-20 10:59:08.494 DEBUG 14542 --- [nio-8000-exec-2] o.s.security.web.FilterChainProxy : /favicon.ico at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2015-11-20 10:59:08.494 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/favicon.ico'; against '/logout'
2015-11-20 10:59:08.494 DEBUG 14542 --- [nio-8000-exec-2] o.s.security.web.FilterChainProxy : /favicon.ico at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2015-11-20 10:59:08.494 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.s.DefaultSavedRequest : pathInfo: both null (property equals)
2015-11-20 10:59:08.494 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.s.DefaultSavedRequest : queryString: both null (property equals)
2015-11-20 10:59:08.495 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.s.DefaultSavedRequest : requestURI: arg1=/user/momentStats; arg2=/favicon.ico (property not equals)
2015-11-20 10:59:08.495 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.s.HttpSessionRequestCache : saved request doesn't match
2015-11-20 10:59:08.495 DEBUG 14542 --- [nio-8000-exec-2] o.s.security.web.FilterChainProxy : /favicon.ico at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2015-11-20 10:59:08.495 DEBUG 14542 --- [nio-8000-exec-2] o.s.security.web.FilterChainProxy : /favicon.ico at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2015-11-20 10:59:08.495 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faba4dc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffed504: RemoteIpAddress: 127.0.0.1; SessionId: e3e46247-a88a-4c60-8574-6579f00d5e9d; Granted Authorities: ROLE_ANONYMOUS'
2015-11-20 10:59:08.495 DEBUG 14542 --- [nio-8000-exec-2] o.s.security.web.FilterChainProxy : /favicon.ico at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
2015-11-20 10:59:08.495 DEBUG 14542 --- [nio-8000-exec-2] o.s.security.web.FilterChainProxy : /favicon.ico at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2015-11-20 10:59:08.495 DEBUG 14542 --- [nio-8000-exec-2] o.s.security.web.FilterChainProxy : /favicon.ico at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2015-11-20 10:59:08.495 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/favicon.ico'; against '/art/**/making'
2015-11-20 10:59:08.495 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/favicon.ico'; against '/orders/**/payment/wx'
2015-11-20 10:59:08.495 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/favicon.ico'; against '/user/momentstats'
2015-11-20 10:59:08.495 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /favicon.ico; Attributes: [permitAll]
2015-11-20 10:59:08.495 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faba4dc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffed504: RemoteIpAddress: 127.0.0.1; SessionId: e3e46247-a88a-4c60-8574-6579f00d5e9d; Granted Authorities: ROLE_ANONYMOUS
2015-11-20 10:59:08.497 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@4d0267b0, returned: 1
2015-11-20 10:59:08.497 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2015-11-20 10:59:08.497 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2015-11-20 10:59:08.497 DEBUG 14542 --- [nio-8000-exec-2] o.s.security.web.FilterChainProxy : /favicon.ico reached end of additional filter chain; proceeding with original chain
2015-11-20 10:59:08.497 DEBUG 14542 --- [nio-8000-exec-2] o.s.web.servlet.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/favicon.ico]
2015-11-20 10:59:08.498 DEBUG 14542 --- [nio-8000-exec-2] o.s.w.s.handler.SimpleUrlHandlerMapping : Matching patterns for request [/favicon.ico] are [/**/favicon.ico]
2015-11-20 10:59:08.499 DEBUG 14542 --- [nio-8000-exec-2] o.s.w.s.handler.SimpleUrlHandlerMapping : URI Template variables for request [/favicon.ico] are {}
2015-11-20 10:59:08.500 DEBUG 14542 --- [nio-8000-exec-2] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapping [/favicon.ico] to HandlerExecutionChain with handler [ResourceHttpRequestHandler [locations=[class path resource [META-INF/resources/], class path resource [resources/], class path resource [static/], class path resource [public/], class path resource []], resolvers=[org.springframework.web.servlet.resource.PathResourceResolver@320e179f]]] and 1 interceptor
2015-11-20 10:59:08.501 DEBUG 14542 --- [nio-8000-exec-2] o.s.web.servlet.DispatcherServlet : Last-Modified value for [/favicon.ico] is: -1
2015-11-20 10:59:08.531 DEBUG 14542 --- [nio-8000-exec-2] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-11-20 10:59:08.538 DEBUG 14542 --- [nio-8000-exec-2] tRepository$SaveToSessionResponseWrapper : Skip invoking on
2015-11-20 10:59:08.539 DEBUG 14542 --- [nio-8000-exec-2] o.s.web.servlet.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
2015-11-20 10:59:08.540 DEBUG 14542 --- [nio-8000-exec-2] o.s.web.servlet.DispatcherServlet : Successfully completed request
2015-11-20 10:59:08.541 DEBUG 14542 --- [nio-8000-exec-2] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2015-11-20 10:59:08.542 DEBUG 14542 --- [nio-8000-exec-2] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
Spring Bootバージョンを1.3.0.RELEASEに更新すると、無料で Http401AuthenticationEntryPoint
を取得できます。次のように、セキュリティ構成で認証エントリポイントを構成します。
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(PROTECTED_RESOURCES)
.hasRole("USER")
.anyRequest()
.permitAll()
.and()
.anonymous().disable()
.exceptionHandling()
.authenticationEntryPoint(new org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint("headerValue"));
}
そしてSpring BootはHTTP 401
を返します:
Status Code: 401 Unauthorized
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: 0
Pragma: no-cache
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
WWW-Authenticate: headerValue
X-Content-Type-Options: nosniff
x-xss-protection: 1; mode=block
春のブーツ2では、もうありませんHttp401AuthenticationEntryPoint
、代わりに HttpStatusEntryPoint を使用して、対応するステータスの応答を返すことができます
http
.exceptionHandling()
.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
Auth Failureの例外または理由に基づいてカスタマイズを行うには、AuthenticationEntryPointを拡張する必要があります。
@ControllerAdvice
public class MyAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
// 401
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication Failed");
}
@ExceptionHandler (value = {AccessDeniedException.class})
public void commence(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException {
// 403
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Authorization Failed : " + accessDeniedException.getMessage());
}
@ExceptionHandler (value = {Exception.class})
public void commence(HttpServletRequest request, HttpServletResponse response,
Exception exception) throws IOException {
// 500
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal Server Error : " + exception.getMessage());
}
}
以下のようにSecurityConfigで上記のカスタムAuthenticationEntryPointを指定します。
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity (prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.exceptionHandling()
.authenticationEntryPoint(new MyAuthenticationEntryPoint());
}
}
認証(フォームログイン、HTTP Basicなど)を構成していないため、デフォルトのAuthenticationEntryPoint
が使用されます。「 Spring Security API 」を参照してください。
使用する
AuthenticationEntryPoint
を設定します。
authenticationEntryPoint(AuthenticationEntryPoint)
が指定されていない場合、defaultAuthenticationEntryPointFor(AuthenticationEntryPoint, RequestMatcher)
が使用されます。デフォルトでは一致が見つからなかったため、最初のAuthenticationEntryPoint
が使用されます。それが提供されない場合、デフォルトは
Http403ForbiddenEntryPoint
。
@ksokolが書いたようにAuthenticationEntryPoint
を設定するか、AuthenticationEntryPoint
を定義する認証を構成できます。