Spring Security 404页面找不到404页面找不到

pdsfdshx  于 2023-04-21  发布在  Spring
关注(0)|答案(1)|浏览(235)

我是Spring Security的新手,我遇到了这样的问题,当我在我的web interfase中添加新用户时,我收到的页面找不到。如果我删除身份验证,我收到的是我没有权限进行post请求。
请帮助理解这个问题。可能是我找问题的方法不对。
下面是我的SecurityConfig文件:

package com.fuji.inventory.fujiInv.configurations;

import jakarta.servlet.DispatcherType;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;

@Slf4j
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfig {
    @Autowired
    private CustomUserDetailsService customUserDetailsService;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http

                .authorizeHttpRequests(auth -> auth
//   -------------------- Access to all API
                                .requestMatchers(HttpMethod.GET, "/**").hasAnyRole("ADMIN", "USER")
//   -------------------- Access for API ASSETS
                                .requestMatchers(HttpMethod.POST, "/assets/**", "/users/create").hasRole("ROLE_ADMIN")
                                .requestMatchers(HttpMethod.DELETE, "/assets/**", "/users/delete/{id}").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.PATCH, "/assets/**", "/users/create").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.PUT, "/assets/**", "/users/create").hasRole("ADMIN")
//   -------------------- Access for API USERS
                                .requestMatchers(HttpMethod.DELETE, "/users/**").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.POST, "/users/**").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.PATCH, "/users/**").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.PUT, "/users/**").hasRole("ADMIN")
                                .anyRequest()
////   -----------permit all without authentication
////                .permitAll()
////   -----------configure authentication
                                .authenticated()
                )
                .formLogin()
                .and()
                .exceptionHandling()
                .accessDeniedPage("/accessDennie")
                .and()
                .authenticationProvider(authenticationProvider())
                .build();
    }
    @Bean
    AuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        daoAuthenticationProvider.setUserDetailsService(this.customUserDetailsService);
        daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
        daoAuthenticationProvider.setHideUserNotFoundExceptions(true);
        return daoAuthenticationProvider;
    }
}

下面是我的CustomUsersDetails文件:

package com.fuji.inventory.fujiInv.configurations;
import com.fuji.inventory.fujiInv.models.User;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.*;

public class CustomUserDetails implements UserDetails {

    private final User user;
    private final String username;
    private final String password;
    private final boolean active;

    public CustomUserDetails(User user) {
        this.user = user;
        username = user.getUsername();
        password = user.getPassword();
        active = user.isActive();
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        List<GrantedAuthority> authorities = new ArrayList<>();
        //list of permissions (name)
        this.user.getPermissionsList().forEach(p -> {
            GrantedAuthority authority = new SimpleGrantedAuthority(p);
            authorities.add(authority);
        });

        //list of roles (ROLE_name)
        this.user.getRoleList().forEach(r -> {
            GrantedAuthority authority = new SimpleGrantedAuthority("ROLE_"+r);
            authorities.add(authority);
        });

        return authorities;

    }

    @Override
    public String getPassword() {
        return password;
    }

    @Override
    public String getUsername() {
        return username;
    }

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return active;
    }
}

下面是我的UserController文件:

package com.fuji.inventory.fujiInv.controllers;

import com.fuji.inventory.fujiInv.models.User;
import com.fuji.inventory.fujiInv.service.UserService;
import lombok.RequiredArgsConstructor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;

@Controller
@RequiredArgsConstructor
public class UserController {

    @Autowired
    private final UserService userService;

    @GetMapping("/login")
    public String login(){
        return "login";
    }
    @GetMapping("/user-add")
    @PreAuthorize("hasRole('ADMIN')")
    public String users(@RequestParam(name = "usersModel", required = false) String usersModel,
                        Model model
    ){

        model.addAttribute("users", userService.usersModel(usersModel));
        model.addAttribute("currentUserEmail", currentUserMail());
        return("/add-user");
    }

    @GetMapping("/user/{username}")
    @PreAuthorize("hasRole('ADMIN')")
    public String userInfo(@PathVariable String username, Model model){
        User userInfo = userService.getUserByUserName(username);
        model.addAttribute("userInfo", userInfo);
        return "user-info";
    }
//    @GetMapping("/users/{id}/edition")
//    @PreAuthorize("hasRole('ADMIN')")
//    public String updateUser(@PathVariable Long id, Model model){
//        User user = userService.getUserById(id);
//        return "/add-user";
//    }

    @PostMapping("/users/create")
    @PreAuthorize("hasRole('ADMIN')")
    public String createUser(User user, Model model){
        if(!userService.createUser(user)){
                model.addAttribute("userAddError", "User with same data "+user+" already exists!");
            return "redirect:/add-user";
        }
        userService.saveUser(user);
        model.addAttribute("user_added", "New User added successfully!");
       return "redirect:/add-user";
    }



    @PostMapping("/users/delete/{id}")
    @PreAuthorize("hasRole('ADMIN')")
    public String deleteUser(@PathVariable Long id){
        userService.deleteUser(id);
        return "redirect:/add-user";
    }

    @GetMapping("/access-dennied")
    public String accessDennied(){
        return "accessDennie";
    }
    public String currentUserMail(){
        return "@eu.fujikura.com";
    }
}

下面是我的USER实体:

package com.fuji.inventory.fujiInv.models;

import jakarta.persistence.*;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import lombok.NonNull;

import java.time.LocalDateTime;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

@Entity
@Table(name = "users")
@Data
@AllArgsConstructor
@NoArgsConstructor
public class User {

    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    @Column(name = "user_id")
    private Long id;
    @Column(name = "username", unique = true)
    @NonNull
    private String username;
    @Column(name = "email", unique = true)
    @NonNull
    private String email;
    @Column(name = "isActive")
    private boolean isActive;
    @Column(name = "password")
    @NonNull
    private String password;
    @Column(name = "roles")
    private String roles;
    @Column(name = "permissions")
    private String permissions;
    @Column(name = "creationDate")
    @NonNull
    private LocalDateTime creationDate;
    @Column(name = "department")
    @NonNull
    private String department;
    @Column(name = "plant")
    @NonNull
    private String plant;

    @PrePersist
    private void init() {
        creationDate = LocalDateTime.now();
    }

    public List<String> getRoleList(){
        if(this.roles.length()>0){
            return Arrays.asList(this.roles.split(","));
        }
        return new ArrayList<>();
    }

    public List<String> getPermissionsList(){
        if (this.permissions.length()>0){
            return Arrays.asList(this.roles.split(","));
        }
        return new ArrayList<>();
    }

}

我可以发出一个GET请求。我可以访问所有的页面...但我不能在DB中创建新的记录。我收到的消息是页面没有找到,但所有的路由都是正常指定的。
enter image description here
我试过禁用身份验证,我试过启用身份验证。
我尝试了这个选项:

.authorizeHttpRequests(auth -> auth
//   -------------------- Access to all API
                                .requestMatchers(HttpMethod.GET, "/**").hasAnyRole("ADMIN", "USER")
//   -------------------- Access for API ASSETS
                                .requestMatchers(HttpMethod.POST, "/assets/**", "/users/create").hasRole("ROLE_ADMIN")
                                .requestMatchers(HttpMethod.DELETE, "/assets/**", "/users/delete/{id}").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.PATCH, "/assets/**", "/users/create").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.PUT, "/assets/**", "/users/create").hasRole("ADMIN")
//   -------------------- Access for API USERS
                                .requestMatchers(HttpMethod.DELETE, "/users/**").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.POST, "/users/**").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.PATCH, "/users/**").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.PUT, "/users/**").hasRole("ADMIN")
                                .anyRequest()
////   -----------permit all without authentication
////                .permitAll()
////   -----------configure authentication
                                .authenticated()
                )

我尝试了这个选项:

.authorizeHttpRequests()
//   -------------------- Access to all API
                                .requestMatchers(HttpMethod.GET, "/**").hasAnyRole("ADMIN", "USER")
//   -------------------- Access for API ASSETS
                                .requestMatchers(HttpMethod.POST, "/assets/**", "/users/create").hasRole("ROLE_ADMIN")
                                .requestMatchers(HttpMethod.DELETE, "/assets/**", "/users/delete/{id}").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.PATCH, "/assets/**", "/users/create").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.PUT, "/assets/**", "/users/create").hasRole("ADMIN")
//   -------------------- Access for API USERS
                                .requestMatchers(HttpMethod.DELETE, "/users/**").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.POST, "/users/**").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.PATCH, "/users/**").hasRole("ADMIN")
                                .requestMatchers(HttpMethod.PUT, "/users/**").hasRole("ADMIN")
                                .anyRequest()
////   -----------permit all without authentication
////                .permitAll()
////   -----------configure authentication
                                .authenticated()
                ```
nfs0ujit

nfs0ujit1#

通过在SecurityConfig文件中添加.csrf().disable()解决了这个问题。

public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http

                .csrf().disable()
                .authorizeHttpRequests(auth -> auth
//   -------------------- Access to all API
                                .requestMatchers(HttpMethod.GET, "/**").hasAnyRole("ADMIN", "USER")
//   -------------------- Access for API ASSETS
                                .requestMatchers(HttpMethod.POST, "/assets/**", "/users/create").hasRole("ROLE_ADMIN")
                                .requestMatchers(HttpMethod.DELETE, "/assets/**", "/users/delete/{id}").hasRole("ROLE_ADMIN")

但是关于错误的访问路径的评论也很有用。
我完全忘记了托肯。
谢谢!

相关问题