我有Spring Boot 2一些控制器的应用程序。
我想添加Spring Security 一些URL,仅允许经过身份验证的用户使用,而其他URL应该可供所有人使用。
但是,当我用于WebSecurityConfigurerAdapter配置每个URL的安全性时,“ / login”和“ / error”的自动生成页面消失了。
如果我尝试添加最简单的可能配置,那么它将起作用并保护所有网址:
application.yml
spring:
security:
user:
name: "admin"
password: "1234"
roles: "ADMIN"
pom.xml:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
并且所有操作都会将我重定向到/login带有登录表单的页面,直到我使用配置的凭据登录为止。
但是,如果我添加一个配置类来自定义行为,则似乎缺少默认的登录表单,而我一直在获取/error页面,因为没有这样的资源/login:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("admin").password("1234").roles("ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/private").hasRole("ADMIN")
.antMatchers("/public").permitAll()
.antMatchers("/", "/login", "/logout", "/error").permitAll()
.antMatchers("/**").denyAll();
}
}
以下是一些调试日志(为便于阅读,省略了其余日志):
DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@e4de2840: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
...
DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login'; against '/login'
DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /login; Attributes: [permitAll]
DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@e4de2840: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@2a3c0a9c, returned: 1
DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
DEBUG o.s.security.web.FilterChainProxy - /login reached end of additional filter chain; proceeding with original chain
DEBUG o.s.web.servlet.DispatcherServlet - GET "/login", parameters={}
DEBUG o.s.w.s.h.SimpleUrlHandlerMapping - Mapped to ResourceHttpRequestHandler ["classpath:/META-INF/resources/", "classpath:/resources/", "classpath:/static/", "classpath:/public/", "/"]
DEBUG o.s.o.j.s.OpenEntityManagerInViewInterceptor - Opening JPA EntityManager in OpenEntityManagerInViewInterceptor
DEBUG o.s.w.s.r.ResourceHttpRequestHandler - Resource not found
DEBUG o.s.s.w.h.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@27581ee6
DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
DEBUG o.s.o.j.s.OpenEntityManagerInViewInterceptor - Closing JPA EntityManager in OpenEntityManagerInViewInterceptor
DEBUG o.s.web.servlet.DispatcherServlet - Completed 404 NOT_FOUND
DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG o.s.security.web.FilterChainProxy - /error at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
...
DEBUG o.s.security.web.FilterChainProxy - /error reached end of additional filter chain; proceeding with original chain
DEBUG o.s.web.servlet.DispatcherServlet - "ERROR" dispatch for GET "/error", parameters={}
DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
DEBUG o.s.o.j.s.OpenEntityManagerInViewInterceptor - Opening JPA EntityManager in OpenEntityManagerInViewInterceptor
DEBUG o.s.w.s.v.ContentNegotiatingViewResolver - Selected 'text/html' given [text/html, text/html;q=0.8]
DEBUG o.s.o.j.s.OpenEntityManagerInViewInterceptor - Closing JPA EntityManager in OpenEntityManagerInViewInterceptor
DEBUG o.s.web.servlet.DispatcherServlet - Exiting from "ERROR" dispatch, status 404
DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
最后,我在浏览器中看到错误页面,说也没有/error页面。
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Tue Jan 21 14:53:17 CET 2020
There was an unexpected error (type=Not Found, status=404).
Not Found
由于某些原因,当我使用WebSecurityConfigurerAdapter配置类时,“ / login”和“ / error”的自动生成的页面会消失。他们去哪了?
而且,这Previously Authenticated:对我来说似乎很可疑,因为这是一个全新的应用程序开始。但是,如果我尝试使用禁用匿名用户http.anonymous().disable(),则对于任何网址,我都会开始收到403错误。可以关联吗?
您不见了: .formLogin().loginPage("/login")
就像是:
http
.authorizeRequests()
.antMatchers("/private").hasRole("ADMIN")
.antMatchers("/public").permitAll()
.antMatchers("/", "/login", "/logout", "/error").permitAll()
.antMatchers("/**").denyAll()
.and().formLogin().loginPage("/login");
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句