WebSecurity
此类是由配置类WebSecurityConfiguration创建,为了创建FilterChainProxy,称为Spring安全过滤器链。springSecurityFilterChain是DelegatingFilterProxy所委托的过滤器。对WebSecurity的自定义可以通过创建WebSecurityConfigurer来完成,或者更可能通过重写WebSecurityConfigurerAdapter来完成。
ignoring
public IgnoredRequestConfigurer ignoring() {return ignoredRequestRegistry;}
返回IgnoredRequestConfigurer,是一个内部类
通常注册的请求只能是静态资源的请求。对于动态请求,考虑将请求映射为允许所有用户。也即是允许添加可以忽略的静态资源,可以允许所有的动态请求访问。
webSecurityBuilder.ignoring()..antMatchers("/resources/**","/static/**");
webSecurityBuilder.ignoring()..antMatchers("/resources/**").antMatchers("/static/**");
webSecurityBuilder.ignoring()..antMatchers("/resources/**") ;webSecurityBuilder.ignoring()..antMatchers("/static/**");
三者效果相同
httpFirewall
允许自定义HttpFirewall。默认为StrictHttpFirewall。
debug
public WebSecurity debug(boolean debugEnabled) {this.debugEnabled = debugEnabled;return this;}
控制Spring Security的调试支持。debugEnabled为true时,允许debug支持。默认为false。
addSecurityFilterChainBuilder
public WebSecurity addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder) {this.securityFilterChainBuilders.add(securityFilterChainBuilder);return this;}
增加SecurityFilterChain。通常,该方法会在框架内从WebSecurityConfigurerAdapter#init(WebSecurity)自动调用。
privilegeEvaluator
public WebSecurity privilegeEvaluator(WebInvocationPrivilegeEvaluator privilegeEvaluator) {this.privilegeEvaluator = privilegeEvaluator;return this;}
设置要使用的WebInvocationPrivilegeEvaluator。如果未指定此参数,则当securityInterceptor(FilterSecurityInterceptor)非空时将创建DefaultWebInvocationPrivilegeEvaluator。
此方法是为了进一步定制。
expressionHandler
public WebSecurity expressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler) {Assert.notNull(expressionHandler, "expressionHandler cannot be null");this.expressionHandler = expressionHandler;return this;}
设置使用的SecurityExpressionHandler。如果未指定此参数,默认为DefaultWebSecurityExpressionHandler
securityInterceptor
public WebSecurity securityInterceptor(FilterSecurityInterceptor securityInterceptor) {this.filterSecurityInterceptor = securityInterceptor;return this;}
设置FilterSecurityInterceptor。这通常由WebSecurityConfigurerAdapter调用。此方法是为了进一步定制。
postBuildAction
public WebSecurity postBuildAction(Runnable postBuildAction) {this.postBuildAction = postBuildAction;return this;}
在生成发生后立即执行Runnable
setApplicationContext
public void setApplicationContext(ApplicationContext applicationContext)throws BeansException {this.defaultWebSecurityExpressionHandler.setApplicationContext(applicationContext);try {this.defaultWebSecurityExpressionHandler.setRoleHierarchy(applicationContext.getBean(RoleHierarchy.class));} catch (NoSuchBeanDefinitionException e) {}try {this.defaultWebSecurityExpressionHandler.setPermissionEvaluator(applicationContext.getBean(PermissionEvaluator.class));} catch(NoSuchBeanDefinitionException e) {}this.ignoredRequestRegistry = new IgnoredRequestConfigurer(applicationContext);try {this.httpFirewall = applicationContext.getBean(HttpFirewall.class);} catch(NoSuchBeanDefinitionException e) {}}
这个方法继承自ApplicationContextAware接口。
设置运行此对象的ApplicationContext。通常这个调用将用于初始化对象。
在填充普通bean属性之后,在初始化回调(如org.springframework.beans.factory.InitializingBean#afterPropertiesSet())或自定义init-method之前调用。
![[WRECKCTF 2022] crypto,reverse,pwn部分WP](/images/no-images.jpg)
