Spring çerçevesi üzerine kurulmuş ve Tomcat'ı sunucu uygulaması kabı olarak kullanan bir web uygulamamız var. Yapılandırılmış bir SSL sertifikamız var, ancak web sitemiz HTTPS'ye bağlanamıyor. Bazı deneme ve hatalardan sonra, sitenin HTTPS'de açılmamasının sebebinin, bu spring.ecurityml.com'da belirtilen springSecurityFilterChain nedeniyle olduğunu tespit ettim.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Bütün ne zaman <filter-mapping>
blok yorumlandı veya <url-pattern>
satır, her URL’den başka bir şeye ayarlanmış <url-pattern>/myuser/*</url-pattern>
), HTTPS sorunsuz açılacaktır. SpringSecurityFilterChain'in neden doğrudan web sitesinin HTTPS'de açılmasını engellediğini ve filtre zincirini tamamen çıkarmadan bunu başarabilecek şekilde yapılandırıp yapılandırmayacağını merak ediyordum. İşte applicationContext-spring-security.xml dosyası.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.2.xsd">
<sec:http access-denied-page="/myciteseer/accessDenied.jsp" session-fixation-protection="none">
<sec:intercept-url pattern="/myciteseer/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
<sec:intercept-url pattern="/capcha.jsp" requires-channel="https"/>
<sec:intercept-url pattern="/j_spring_security_check" requires-channel="https"/>
<sec:intercept-url pattern="/myciteseer/action/changepassword" requires-channel="https"/>
<sec:intercept-url pattern="/mcsutils/newaccount" requires-channel="https"/>
<sec:intercept-url pattern="/index" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/oai2**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/new**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/search**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/advanced_search" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/forgotaccount" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/privacy" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/submit" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/showciting" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/viewdoc/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/viewauth/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/authmerge" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/stats/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/healthcheck" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/metacart" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/help/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/about/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/citecharts/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/feedback" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/myciteseer/accessdenied.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/mcsutils/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/favicon.ico" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/robots.txt" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/legacymapper" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/icons/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/js/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/dwr/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/messages/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/search_plugins/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/captcha.jpg" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/sitemap*.xml" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/sitemap_index.xml" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBERED" requires-channel="http"/>
<!-- Port Mappers -->
<sec:port-mappings>
<sec:port-mapping http="80" https="443"/>
<sec:port-mapping http="8080" https="8443"/>
</sec:port-mappings>
<!-- Login Page -->
<sec:form-login
always-use-default-target="false"
authentication-failure-url="/myciteseer/login?login_error=1"
default-target-url="/myciteseer/action/accountHome"
login-page="/myciteseer/login"
login-processing-url="/j_spring_security_check"/>
<!-- Anonymous filter -->
<sec:anonymous
granted-authority="ROLE_ANONYMOUS"
key="changeThis"
username="anonymousUser"/>
<!-- Remember Me Service/filter -->
<sec:remember-me
user-service-ref="myCiteSeer"
key="changeThis"/>
<!-- Log out filter -->
<sec:logout
invalidate-session="true"
logout-success-url="/index.jsp"
logout-url="/j_spring_security_logout"/>
</sec:http>
<!--
- Authentication Manager Alias to be referenced by other beans
-->
<sec:authentication-manager alias="authenticationManager"/>
<!--
- Authentication Providers.
-->
<!-- A daoAuthenticationProvider is created by default -->
<sec:authentication-provider user-service-ref="myCiteSeer">
<sec:password-encoder ref="passwordEncoder">
<sec:salt-source user-property="username"/>
</sec:password-encoder>
</sec:authentication-provider>
<!--
- Password encoder and SaltSource beans
- This beans can be declared within the authentication-provider
- but we reference then in custom beans for this reason they are
- declared here and referenced by the namespace.
- TODO: find out if it is possible to declare these beans within the
- authentication manager and reference them in custom beans.
-->
<bean id="passwordEncoder" class="org.springframework.security.providers.encoding.ShaPasswordEncoder">
<constructor-arg value="256"/>
<property name="encodeHashAsBase64" value="true"/>
</bean>
<bean id="saltSource" class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
<property name="userPropertyToUse" value="getUsername"/>
</bean>
<!--
- Automatically receives AuthenticationEvent messages.
- This bean is optional; it isn't used by any other bean as it only listens and logs
-->
<bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
</beans>