没有上下文根路径的spring-webflux安全性中的白名单端点

Question

我试图白化所有以/health结尾的自定义端点，但在WebFlux Security中，我无法使用正则表达式来匹配所有端点。例如/app/health、/app/meta/health、/app/定制/meta/health、/api/app/定制/meta/health等。在构造SecurityWebFilterChain时，我没有找到任何模式(或regex)来白化这些端点。此外，如果我试图使用regex，也会收到警告。

spring-security '**' patterns are not supported in the middle of patterns and will be rejected in the future. Consider using '*' instead for matching a single path segment.

下面是代码片段

String[] ALLOWED_PATTERNS = {".*/health"};
// String[] ALLOWED_PATTERNS = {"/*/health"};  // allows whitelist /app/health endpoint
// String[] ALLOWED_PATTERNS = {"/*/health", "/*/*/health"};  // need generic way to whitelist all

@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
    return http
        .authorizeExchange()
        .pathMatchers(ALLOWED_PATTERNS).permitAll()
        .anyExchange().authenticated()
         ...
        .build();
}

通过提供antMatchers，我可以在Security (不是反应性/web流量安全)中实现同样的目标。

@Override
public void configure(WebSecurity web) {
   web.ignoring().antMatchers("/**/health");
}

注意:这不是弹簧致动器健康端点，而是自定义的健康端点

。

Answer 1

你可以写你自己的matcher。

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

import java.util.concurrent.ConcurrentMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

@Slf4j
public class RegexRequestMatcher {

    private static final Cache<String, Pattern> CACHE = CacheBuilder.newBuilder().build();
    private static final ConcurrentMap<String, Pattern> PATTERNS = CACHE.asMap();

    public static Mono<ServerWebExchangeMatcher.MatchResult> matches(String regex, ServerWebExchange exchange) {
        return matches(regex, exchange.getRequest().getURI().getPath());
    }

    public static Mono<ServerWebExchangeMatcher.MatchResult> matches(String regex, String uri) {
        Pattern pattern = getPattern(regex);
        Matcher matcher = pattern.matcher(uri);
        boolean matches = matcher.matches();
        return Mono.just(matches)
                .flatMap(m -> m ? ServerWebExchangeMatcher.MatchResult.match() : ServerWebExchangeMatcher.MatchResult.notMatch());
    }

    private static Pattern getPattern(String regex) {
        return PATTERNS.computeIfAbsent(regex, r -> Pattern.compile(r));
    }
}

然后，您可以使用自己的matcher代替pathMatchers。

.matchers(exchange -> RegexRequestMatcher.matches(".*/health", exchange)).permitAll()