Java Spring security 不允许加载 CSS 或 JS 资源
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/25368535/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring security does not allow CSS or JS resources to be loaded
提问by Junjie
The resource is under src/main/resources/static/css or src/main/resources/static/js, I'm using spring boot, and the class of security is:
资源在src/main/resources/static/css或者src/main/resources/static/js下,我用的是spring boot,安全等级是:
@Configuration
@EnableWebMvcSecurity
@EnableGlobalAuthentication
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// http.authorizeRequests().antMatchers("/", "/index", "/quizStart")
// .permitAll().anyRequest().authenticated();
// http.formLogin().loginPage("/login").permitAll().and().logout()
// .permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication().withUser("test").password("test")
.roles("USER");
}
}
It works well (resources can be loaded) when I access "/index" from browser, however, if I uncomment the four lines in the class, resources can not be loaded, the four lines means:
当我从浏览器访问“/index”时它运行良好(可以加载资源),但是,如果我取消注释类中的四行,则无法加载资源,这四行表示:
http.authorizeRequests().antMatchers("/", "/index", "/quizStart")
.permitAll().anyRequest().authenticated();
http.formLogin().loginPage("/login").permitAll().and().logout()
.permitAll();
Could anyone help with this ? Thanks in advance.
有人可以帮忙吗?提前致谢。
采纳答案by John Humphreys - w00te
You probably want to make sure to have your directory containing those items set as permitAll.
您可能希望确保将包含这些项目的目录设置为 permitAll。
Here's an excerpt from my spring security context file. Under the resources directory, I have js, css, and images folders which are given permissions by this line.
这是我的 spring 安全上下文文件的摘录。在资源目录下,我有 js、css 和 images 文件夹,这些文件夹由这一行授予权限。
<security:intercept-url pattern="/resources/**" access="permitAll" />
回答by JohnP
I had the same problem and changing access to "permitAll" didn't help. I created a new http pattern where I set security to "none" and then I was able to download the css and js files without authentication.
我遇到了同样的问题,更改对“permitAll”的访问没有帮助。我创建了一个新的 http 模式,将安全性设置为“无”,然后无需身份验证即可下载 css 和 js 文件。
<http pattern="/resources/**" security="none" />
回答by Sande
For some reason, this did not work for me:
出于某种原因,这对我不起作用:
http.authorizeRequests().antMatchers("/resources/**").permitAll();
I had to add this:
我不得不添加这个:
http.authorizeRequests().antMatchers("/resources/**").permitAll().anyRequest().permitAll();
Also, this line has to be after the code which restrics access.
此外,这一行必须在限制访问的代码之后。
回答by Shahriar
This finally worked for me. The /home (which will bring up the login page) and error messages do not need authentication. All the resources are permitAll, and the /main url is authenticated. Any other url (eg. /users /customers etc..) would need to be added as isAuthenticated()
这最终对我有用。/home(将显示登录页面)和错误消息不需要身份验证。所有资源都是permitAll,/main url是经过认证的。任何其他 url(例如 /users /customers 等)都需要添加为 isAuthenticated()
<security:intercept-url pattern="/home" access="isAnonymous()"/>
<security:intercept-url pattern="/error*" access="isAnonymous()"/>
<security:intercept-url pattern="/main" access="isAuthenticated()"/>
<security:intercept-url pattern="/css/**" access="permitAll" />
<security:intercept-url pattern="/js/**" access="permitAll" />
<security:intercept-url pattern="/fonts/**" access="permitAll" />
<security:intercept-url pattern="/images/**" access="permitAll" />
回答by Yogesh Bombe
Add following
添加以下内容
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**").anyRequest();
}
回答by Om Sharma
you can also use directly like "/*.js" for specific file or "/resources/**" for directory
您也可以直接使用“/*.js”作为特定文件或“/resources/**”作为目录
http.authorizeRequests()
.antMatchers("/", "/login", "/logout", "/error").permitAll()
.antMatchers("/resources/**").permitAll()
.antMatchers("/*.js").permitAll()
.antMatchers("/api/**").authenticated()
回答by Athena
I had the same problem and the permitAll()solution didn't work for me. I added the following @Overridemethod to my WebSecurityConfigclass.
我遇到了同样的问题,该permitAll()解决方案对我不起作用。我在@Override我的WebSecurityConfig班级中添加了以下方法。
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**", "/static/**", "/css/**", "/js/**", "/img/**", "/icon/**");
}
Good Luck!
祝你好运!
