У нас есть веб-приложение, которое построено на платформе Spring и использует Tomcat в качестве контейнера сервлета. У нас настроен SSL-сертификат, однако наш веб-сайт не может подключиться к HTTPS. После некоторых проб и ошибок я смог сделать вывод, что причина, по которой сайт не открывался в HTTPS, была связана с этим springSecurityFilterChain, объявленным в web.xml.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Когда весь блок <filter-mapping> закомментирован или в строке <url-pattern> указано что-то, кроме каждого URL (например, <url-pattern>/myuser/*</url-pattern>), HTTPS откроется без проблем. Мне было интересно, почему springSecurityFilterChain напрямую препятствует открытию веб-сайта в HTTPS и может ли он быть настроен таким образом, чтобы это можно было сделать без полного удаления цепочки фильтров. Вот файл applicationContext-spring-security.xml.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.2.xsd">
<sec:http access-denied-page="/myciteseer/accessDenied.jsp" session-fixation-protection="none">
<sec:intercept-url pattern="/myciteseer/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
<sec:intercept-url pattern="/capcha.jsp" requires-channel="https"/>
<sec:intercept-url pattern="/j_spring_security_check" requires-channel="https"/>
<sec:intercept-url pattern="/myciteseer/action/changepassword" requires-channel="https"/>
<sec:intercept-url pattern="/mcsutils/newaccount" requires-channel="https"/>
<sec:intercept-url pattern="/index" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/oai2**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/new**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/search**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/advanced_search" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/forgotaccount" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/privacy" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/submit" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/showciting" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/viewdoc/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/viewauth/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/authmerge" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/stats/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/healthcheck" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/metacart" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/help/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/about/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/citecharts/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/feedback" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/myciteseer/accessdenied.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/mcsutils/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/favicon.ico" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/robots.txt" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/legacymapper" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/icons/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/js/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/dwr/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/messages/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/search_plugins/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/captcha.jpg" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/sitemap*.xml" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/sitemap_index.xml" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBERED" requires-channel="http"/>
<!-- Port Mappers -->
<sec:port-mappings>
<sec:port-mapping http="80" https="443"/>
<sec:port-mapping http="8080" https="8443"/>
</sec:port-mappings>
<!-- Login Page -->
<sec:form-login
always-use-default-target="false"
authentication-failure-url="/myciteseer/login?login_error=1"
default-target-url="/myciteseer/action/accountHome"
login-page="/myciteseer/login"
login-processing-url="/j_spring_security_check"/>
<!-- Anonymous filter -->
<sec:anonymous
granted-authority="ROLE_ANONYMOUS"
key="changeThis"
username="anonymousUser"/>
<!-- Remember Me Service/filter -->
<sec:remember-me
user-service-ref="myCiteSeer"
key="changeThis"/>
<!-- Log out filter -->
<sec:logout
invalidate-session="true"
logout-success-url="/index.jsp"
logout-url="/j_spring_security_logout"/>
</sec:http>
<!--
- Authentication Manager Alias to be referenced by other beans
-->
<sec:authentication-manager alias="authenticationManager"/>
<!--
- Authentication Providers.
-->
<!-- A daoAuthenticationProvider is created by default -->
<sec:authentication-provider user-service-ref="myCiteSeer">
<sec:password-encoder ref="passwordEncoder">
<sec:salt-source user-property="username"/>
</sec:password-encoder>
</sec:authentication-provider>
<!--
- Password encoder and SaltSource beans
- This beans can be declared within the authentication-provider
- but we reference then in custom beans for this reason they are
- declared here and referenced by the namespace.
- TODO: find out if it is possible to declare these beans within the
- authentication manager and reference them in custom beans.
-->
<bean id="passwordEncoder" class="org.springframework.security.providers.encoding.ShaPasswordEncoder">
<constructor-arg value="256"/>
<property name="encodeHashAsBase64" value="true"/>
</bean>
<bean id="saltSource" class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
<property name="userPropertyToUse" value="getUsername"/>
</bean>
<!--
- Automatically receives AuthenticationEvent messages.
- This bean is optional; it isn't used by any other bean as it only listens and logs
-->
<bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
</beans>