java 使用 Spring-boot 进行安全配置
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/25633477/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Security configuration with Spring-boot
提问by randominstanceOfLivingThing
I created a Spring Security configuration class for Spring-Boot. My login page has resources css, js and ico files. The resources are getting denied for security reasons and redirected to login page each time. Why does EnableWebMVCSecurity not add the Classpath resource location. After changing the code as in the second snippet the I Classpath resource location is added. dont understand what I am missing for the resources in the first code snippet.
我为 Spring-Boot 创建了一个 Spring Security 配置类。我的登录页面有资源 css、js 和 ico 文件。出于安全原因,资源被拒绝并每次都重定向到登录页面。为什么 EnableWebMVCSecurity 不添加 Classpath 资源位置。在更改第二个代码段中的代码后,添加了 I Classpath 资源位置。不明白我在第一个代码片段中缺少什么资源。
@Configuration
/*
* Enable Spring Security's web security support and provide the Spring MVC integration
* It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration.
*/
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
/**
* The configure(HttpSecurity) method defines with URL paths should be
* secured and which should not.
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated();
// There is a custom "/login" page specified by loginPage(), and everyone
// is allowed to view it.
http
.formLogin()
.loginPage("/login.html")
.permitAll()
.and()
.logout()
.permitAll().logoutSuccessUrl("/login.html");
}
@Configuration
protected static class AuthenticationConfiguration extends
GlobalAuthenticationConfigurerAdapter {
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
// As for the configure(AuthenticationManagerBuilder) method, it sets up
// an in-memory user store with a single user. That user is given a
// username of "user", a password of "password", and a role of "USER".
auth
.inMemoryAuthentication()
.withUser("[email protected]").password("password").roles("USER");
}
}
I got this working by changing the code to
我通过将代码更改为
@Configuration
/*
* Enable Spring Security's web security support and provide the Spring MVC integration
* It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration.
*/
public class WebSecurityConfig{
@Bean
public ApplicationSecurity applicationSecurity() {
return new ApplicationSecurity();
}
@Bean
public AuthenticationSecurity authenticationSecurity() {
return new AuthenticationSecurity();
}
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated();
http
.formLogin()
.loginPage("/login.html")
.permitAll()
.and()
.logout()
.permitAll().logoutSuccessUrl("/login.html");
}
}
@Order(Ordered.HIGHEST_PRECEDENCE + 10)
protected static class AuthenticationSecurity extends
GlobalAuthenticationConfigurerAdapter {
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("[email protected]").password("password").roles("USER");
}
}
}
After changing the code I noticed that the Ignore paths were added to the filter and I see the following in logs:
更改代码后,我注意到忽略路径已添加到过滤器中,我在日志中看到以下内容:
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/css/**'], [] [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/js/**'], [] [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/images/**'], [] [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/**/favicon.ico'], [] [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4e3e0069, org.springframework.security.web.context.SecurityContextPersistenceFilter@3d2dd0cf, org.springframework.security.web.header.HeaderWriterFilter@33fc3b02, org.springframework.security.web.csrf.CsrfFilter@9b7a3ac, org.springframework.security.web.authentication.logout.LogoutFilter@267237ef, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@129495ef, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@7db0a467, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@764d1dbd, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@25a5268d, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@15c01d0c, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@37818a3b, org.springframework.security.web.session.SessionManagementFilter@3fe57e49, org.springframework.security.web.access.ExceptionTranslationFilter@4278af59, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@424bef91]
回答by Dave Syer
Per the docsyou have disabled the spring boot autoconfig in the first example by using @EnableWebSecurity, so you would have to explicitly ignore all the static resources manually. In the second example you simply provide a WebSecurityConfigurerwhich is additive on top of the default autoconfig.
根据文档,您在第一个示例中通过 using 禁用了 spring boot autoconfig @EnableWebSecurity,因此您必须手动显式忽略所有静态资源。在第二个示例中,您只需提供一个WebSecurityConfigurer在默认自动配置之上的附加项。
回答by Aman Tuladhar
Create a Configurationfile that extends WebSecurityConfigurerAdapterand annotate the class with @EnableWebSecurity
创建一个配置文件来扩展WebSecurityConfigurerAdapter和注释类@EnableWebSecurity
You can override methods like configure(HttpSecurity http)to add basic security like below
您可以覆盖类似configure(HttpSecurity http)添加基本安全性的方法,如下所示
@Configuration
@EnableWebSecurity
public class AppWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.anyRequest().permitAll();
}
}
回答by Sahil Bhalla
Add below method to by pass security for css and js in security config -
添加以下方法以绕过安全配置中 css 和 js 的安全性 -
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/css/** **","/js/** **");
}
