我为Spring-Boot创建了一个SpringSecurity配置类，js和ico文件。由于安全原因，资源每次都被拒绝并被重定向到登录页面。为什么EnableWebMVCSecurity不添加类路径资源位置。按照第二个代码段中的方式更改代码后，添加了I类路径资源位置。我不明白我在第一个代码片段中缺少了什么。

@Configuration

/*
 * Enable Spring Security’s web security support and provide the Spring MVC integration
 * It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration.
 */
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

/**
 * The configure(HttpSecurity) method defines with URL paths should be 
     * secured and which should not. 
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeRequests()
            .anyRequest().authenticated();

//      There is a custom "/login" page specified by loginPage(), and everyone 
//      is allowed to view it.      
        http
            .formLogin()
                .loginPage("/login.html")
                .permitAll()
                .and()
            .logout()
                .permitAll().logoutSuccessUrl("/login.html");
    }

    @Configuration
    protected static class AuthenticationConfiguration extends
            GlobalAuthenticationConfigurerAdapter {
        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
//          As for the configure(AuthenticationManagerBuilder) method, it sets up 
//          an in-memory user store with a single user. That user is given a 
//          username of "user", a password of "password", and a role of "USER".
            auth
                    .inMemoryAuthentication()
                    .withUser("user@domain.com").password("password").roles("USER");
        }
   }

我通过将代码更改为

@Configuration
/*
 * Enable Spring Security’s web security support and provide the Spring MVC integration
 * It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration.
 */
public class WebSecurityConfig{

    @Bean
    public ApplicationSecurity applicationSecurity() {
        return new ApplicationSecurity();
    }

    @Bean
    public AuthenticationSecurity authenticationSecurity() {
        return new AuthenticationSecurity();
    }

    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
    protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
            .authorizeRequests()
                .anyRequest().authenticated();
            http
                .formLogin()
                    .loginPage("/login.html")
                    .permitAll()
                    .and()
                .logout()
                    .permitAll().logoutSuccessUrl("/login.html");

        }
    }

    @Order(Ordered.HIGHEST_PRECEDENCE + 10)
    protected static class AuthenticationSecurity extends
            GlobalAuthenticationConfigurerAdapter {
        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
            auth
            .inMemoryAuthentication()
            .withUser("user@domain.com").password("password").roles("USER");

        }
    }   
}

更改代码后，我注意到Ignore路径已添加到过滤器中，并且我在日志中看到以下内容：

[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/css/**'], []
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/js/**'], []
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/images/**'], []
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/**/favicon.ico'], []
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4e3e0069, org.springframework.security.web.context.SecurityContextPersistenceFilter@3d2dd0cf, org.springframework.security.web.header.HeaderWriterFilter@33fc3b02, org.springframework.security.web.csrf.CsrfFilter@9b7a3ac, org.springframework.security.web.authentication.logout.LogoutFilter@267237ef, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@129495ef, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@7db0a467, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@764d1dbd, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@25a5268d, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@15c01d0c, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@37818a3b, org.springframework.security.web.session.SessionManagementFilter@3fe57e49, org.springframework.security.web.access.ExceptionTranslationFilter@4278af59, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@424bef91]

3条答案

按热度按时间

sigwle7e1#

根据文档，在第一个示例中，您使用@EnableWebSecurity禁用了Spring Boot 自动配置，因此您必须手动显式忽略所有静态资源。在第二个示例中，您只需提供一个WebSecurityConfigurer，它是默认自动配置的附加项。

赞(0）回复(0）举报 2022-11-11

xmq68pz92#

创建一个扩展**WebSecurityConfigurerAdapter的配置文件，并使用@EnableWebSecurity**为该类添加注解
您可以覆盖configure(HttpSecurity http)之类的方法来添加基本安全性，如下所示

@Configuration
@EnableWebSecurity
public class AppWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {    
        http
            .csrf().disable()
            .authorizeRequests()
                .anyRequest().permitAll();
        }
}

slsn1g293#

将以下方法添加到安全配置中css和js的旁路安全中-

@Override
    public void configure(WebSecurity web) throws Exception {
       web.ignoring().antMatchers("/css/****","/js/****");
    }

spring-security 使用Spring-boot进行安全配置

3条答案

相关问题

热门标签

最新问答