Java Spring Security“拒绝从……执行脚本”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24726218/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Security "Refused to execute script from ..."
提问by somenone
I'm building a Spring MVC application with Spring Security and Bootstrap in my HTML files (thymeleaf templates). The Spring Security part is based on the Spring Guide for Spring Securityand combined with a Spring Boot application server.
我正在我的 HTML 文件(thymeleaf 模板)中使用 Spring Security 和 Bootstrap 构建一个 Spring MVC 应用程序。Spring Security 部分基于 Spring Security 的 Spring Guide ,并结合了 Spring Boot 应用程序服务器。
After enabling Spring Security the bootstrap css file won't load with the error message:
启用 Spring Security 后,bootstrap css 文件将不会加载并显示错误消息:
Refused to execute script from 'http://localhost:8080/js/bootstrap.min.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.
The error message above comes from the chrome developer console.
上面的错误信息来自 chrome 开发者控制台。
What I've tried:
我试过的:
- Disabling the Spring Security => bootstrap css works again, but I need the security
- Searching on the spring forums, but theres a looped link without a solution
- Adding a resources handler, but I can't see that the handler is invoked nor the error disappears
- Adding the resources path to the
permitcall
- 禁用 Spring Security => bootstrap css 再次起作用,但我需要安全性
- 在 spring 论坛上搜索,但有一个没有解决方案的循环链接
- 添加资源处理程序,但我看不到该处理程序被调用,错误也消失了
- 将资源路径添加到
permit调用中
My dir structure:
我的目录结构:
/main
|-> /java
| BootStart.java
|-> /security
|SecurityConfiguration.java
|-> /resources
|-> /static
|-> /css /** bootstrap location */
|-> /js
|-> /fonts
|-> /templates
| /user
| sample.html
BootStart.java is the java file that gets picked up by Spring Boot.
BootStart.java 是 Spring Boot 获取的 java 文件。
BootStart.java:
BootStart.java:
@EnableAutoConfiguration
@ComponentScan
public class BootStart {
public static void main(String[] args) {
SpringApplication.run(BootStart.class, args);
}
}
SecurityConfiguration.java:
安全配置.java:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
http
.authorizeRequests()
.antMatchers("/", "/resources/static/**").permitAll()
.anyRequest().authenticated();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
Sample.html:
示例.html:
<!DOCTYPE HTML>
<html>
<head>
<link rel="stylesheet" th:href="@{/css/bootstrap.css}" href="../../css/bootstrap.min.css"/>
<link rel="stylesheet" th:href="@{/css/bootstrap-theme.css}" href="../../css/bootstrap-theme.min.css"/>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
</head>
<body>
<div class="alert alert-danger" role="alert">!Basic template!</div>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
<script src="js/bootstrap.min.js"></script>
</body>
</html>
Currently I'm using the following dependencies in my pom:
目前我在我的 pom 中使用以下依赖项:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.4.RELEASE</version>
</dependency>
How must I configure Spring Security that I can load css/ js files from my /static resources directory?
我必须如何配置 Spring Security 才能从 /static 资源目录加载 css/js 文件?
回答by Mavlarn
Please check this answerby other with similar question.
请检查其他有类似问题的答案。
If you place js files in /js/dir, there should not that kind of MIME error.
And, for javascript files, it is better to disable security for them:
如果将 js 文件放在/js/dir 中,就不应该出现那种 MIME 错误。
而且,对于 javascript 文件,最好为它们禁用安全性:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/the_js_path/**");
}
回答by Peter Catalin
I had the same error after adding a new method to a controller.
在向控制器添加新方法后,我遇到了同样的错误。
I forgot to provide a value for the @GetMappingannotation and the @Controlleritself was not bound to any URL. Wierdly enough adding @GetMapping("/foo")to my method solved the problem. I still haven't figured out why that happened but I'm planning to find out.
我忘记为@GetMapping注释提供一个值,并且它@Controller本身没有绑定到任何 URL。奇怪地添加@GetMapping("/foo")到我的方法中解决了这个问题。我仍然没有弄清楚为什么会发生这种情况,但我打算找出来。
回答by da-vinci-code
I had the same error too with the same folder structure, it was on the css file.
对于相同的文件夹结构,我也有同样的错误,它在 css 文件中。
All I did is added /css/**in antMatcher() as below:
我所做的只是/css/**在 antMatcher() 中添加如下:
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.antMatchers("/css/**").permitAll() //Adding this line solved it
.anyRequest().fullyAuthenticated()
.and()
.formLogin()
.loginPage("/login").permitAll()
.loginProcessingUrl("/sign-in")
.defaultSuccessUrl("/home")
.failureUrl("/error")
.and()
.logout()
.logoutSuccessUrl("/logout")
.permitAll()
.and()
.csrf().disable();
}
In your case just add /js/**in the antMatcher() and then use permitAll()
在您的情况下,只需添加/js/**antMatcher() 然后使用 permitAll()
回答by Wei Chun
I used this to resolved my problem, you may try this
我用这个来解决我的问题,你可以试试这个
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**");
}
Hope it help.
希望有帮助。
回答by fresher
when we use "permitall()" or anyrequest()then it enable Mime check so i specify all url listing which use to be accecs.
当我们使用“ permitall()”或anyrequest() 时,它会启用 Mime 检查,因此我指定了所有用作 accecs 的 url 列表。
回答by nllsdfx
I removed any comments from the beginning of the css file and it works.
我从 css 文件的开头删除了任何注释,它可以工作。
回答by Slawomir Wozniak
I had this problem, and struggled for a while. I had created a route which should match every "unmatched" route, and send index.html.
我遇到了这个问题,并挣扎了一段时间。我创建了一个应该匹配每个“不匹配”路由的路由,并发送index.html.
@Controller
public class DefaultPageController {
@Autowired
private LogService logService;
@GetMapping("/*")
public String defaultPage(Model model){
logService.saveLog(Log.LogType.INFO, null, "Default route");
return "index";
}
}
The problem was, that it overrode the route /file.js, and didn't send the static files, but always index.html.
问题是,它覆盖了 route /file.js,并且没有发送静态文件,但总是index.html.
So the solution was only to customize the route.
所以解决方案只是自定义路线。
