java Spring Security antMatchers被忽略或重写

2ic8powd  于 2023-10-14  发布在  Java
关注(0)|答案(1)|浏览(158)

Spring Security 5.x我有以下安全配置:

  1. @EnableWebSecurity(debug = true)
  2. @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
  3. @Slf4j
  4. public class ApiSecurityConfig {
  6.     private boolean securityDebug;
  8.     @Autowired
  9.     public ApiSecurityConfig(
  10.             @Value("${spring.security.debug:false}") boolean securityDebug) {
  11.         this.securityDebug = securityDebug;
  12.     }
  14.     @Bean
  15.     public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
  17.         log.info("configuring security...");
  19.         // enable CSRF
  20.         httpSecurity.csrf().disable();
  22.         // add CORS filter
  23.         httpSecurity.cors();
  25.         // add anonoymous/permitted paths (that is: what paths are allowed to bypass authentication)
  26.         httpSecurity.authorizeRequests()
  27.                 .antMatchers(HttpMethod.GET, "/v1/alerts").permitAll()
  29.                 // restrict all other paths and set them to authenticated
  30.                 .anyRequest().authenticated();
  32. httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
  34.         return httpSecurity.build();
  36.     }
  38.     @Bean
  39.     public WebSecurityCustomizer webSecurityCustomizer() {
  40.         return (web) -> web.debug(securityDebug)
  41.                 .ignoring()
  42.                 .antMatchers("/css/**", "/js/**", "/img/**", "/lib/**", "/favicon.ico");
  43.     }
  45.     @Bean
  46.     public CorsConfigurationSource corsConfigurationSource() {
  48.         CorsConfiguration corsConfiguration = new CorsConfiguration();
  50.         corsConfiguration.setAllowedOriginPatterns(List.of("*"));
  51.         corsConfiguration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
  52.         corsConfiguration.setAllowedHeaders(List.of("*"));
  54.         UrlBasedCorsConfigurationSource corsConfigurationSource = new UrlBasedCorsConfigurationSource();
  55.         corsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
  57.         return corsConfigurationSource;
  59.     }
  61.     @Bean
  62.     public DefaultWebSecurityExpressionHandler expressionHandler(RoleHierarchy roleHierarchy) {
  64.         DefaultWebSecurityExpressionHandler expressionHandler = new DefaultWebSecurityExpressionHandler();
  65.         expressionHandler.setRoleHierarchy(roleHierarchy);
  66.         return expressionHandler;
  68.     }
  70. }

当我在GET /v1/alerts端点上运行curl时,我得到401 s:

  1. curl -i -H "Accept: application/json" http://localhost:8080/v1/alerts
  3. HTTP/1.1 401 
  4. Vary: Origin
  5. Vary: Access-Control-Request-Method
  6. Vary: Access-Control-Request-Headers
  7. WWW-Authenticate: Basic realm="Realm"
  8. X-Content-Type-Options: nosniff
  9. X-XSS-Protection: 1; mode=block
  10. Cache-Control: no-cache, no-store, max-age=0, must-revalidate
  11. Pragma: no-cache
  12. Expires: 0
  13. X-Frame-Options: DENY
  14. Content-Length: 0
  15. Date: Thu, 12 Oct 2023 17:49:13 GMT

在Spring Security调试输出中,我得到:

  1. 13:52:58.212 [main] INFO  i.b.e.ws.MyServiceMonoServiceApp - Started MyServiceMonoServiceApp in 6.272 seconds (JVM running for 6.541)
  2. 13:52:58.236 [main] DEBUG o.s.b.a.ApplicationAvailabilityBean - Application availability state LivenessState changed to CORRECT
  3. 13:52:58.237 [main] DEBUG o.s.b.a.ApplicationAvailabilityBean - Application availability state ReadinessState changed to ACCEPTING_TRAFFIC
  4. 13:53:06.602 [http-nio-8080-exec-1] INFO  o.a.c.c.C.[Tomcat].[localhost].[/] - Initializing Spring DispatcherServlet 'dispatcherServlet'
  5. 13:53:06.602 [http-nio-8080-exec-1] INFO  o.s.web.servlet.DispatcherServlet - Initializing Servlet 'dispatcherServlet'
  6. 13:53:06.602 [http-nio-8080-exec-1] DEBUG o.s.web.servlet.DispatcherServlet - Detected StandardServletMultipartResolver
  7. 13:53:06.602 [http-nio-8080-exec-1] DEBUG o.s.web.servlet.DispatcherServlet - Detected AcceptHeaderLocaleResolver
  8. 13:53:06.602 [http-nio-8080-exec-1] DEBUG o.s.web.servlet.DispatcherServlet - Detected FixedThemeResolver
  9. 13:53:06.605 [http-nio-8080-exec-1] DEBUG o.s.web.servlet.DispatcherServlet - Detected org.springframework.web.servlet.view.DefaultRequestToViewNameTranslator@7db097a6
  10. 13:53:06.605 [http-nio-8080-exec-1] DEBUG o.s.web.servlet.DispatcherServlet - Detected org.springframework.web.servlet.support.SessionFlashMapManager@4d53d85e
  11. 13:53:06.605 [http-nio-8080-exec-1] DEBUG o.s.web.servlet.DispatcherServlet - enableLoggingRequestDetails='false': request parameters and headers will be masked to prevent unsafe logging of potentially sensitive data
  12. 13:53:06.605 [http-nio-8080-exec-1] INFO  o.s.web.servlet.DispatcherServlet - Completed initialization in 3 ms
  13. 13:53:06.617 [http-nio-8080-exec-1] DEBUG o.s.security.web.FilterChainProxy - Securing GET /v1/alerts
  14. 13:53:06.619 [http-nio-8080-exec-1] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - Set SecurityContextHolder to empty SecurityContext
  15. 13:53:06.625 [http-nio-8080-exec-1] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to io.myorg.MyService.ws.alerts.AlertController#getAlertStatus()
  16. 13:53:06.627 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Set SecurityContextHolder to anonymous SecurityContext
  17. 13:53:06.631 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Failed to authorize filter invocation [GET /v1/alerts] with attributes [authenticated]
  18. 13:53:06.631 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@553779ba, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]
  19. 13:53:06.631 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - Trying to match using Or [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest], And [Not [MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@3c2955f6, matchingMediaTypes=[text/html], useEquals=false, ignoredMediaTypes=[]]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@3c2955f6, matchingMediaTypes=[application/atom+xml, application/x-www-form-urlencoded, application/json, application/octet-stream, application/xml, multipart/form-data, text/xml], useEquals=false, ignoredMediaTypes=[*/*]]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@3c2955f6, matchingMediaTypes=[*/*], useEquals=true, ignoredMediaTypes=[]]]
  20. 13:53:06.631 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - Match found! Executing org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint@5bb911c1
  21. 13:53:06.631 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
  22. 13:53:06.631 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@20ffa494
  23. 13:53:06.632 [http-nio-8080-exec-1] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - Did not store empty SecurityContext
  24. 13:53:06.632 [http-nio-8080-exec-1] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - Did not store empty SecurityContext
  25. 13:53:06.632 [http-nio-8080-exec-1] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - Cleared SecurityContextHolder to complete request
  26. 13:53:06.640 [http-nio-8080-exec-1] DEBUG o.s.security.web.FilterChainProxy - Securing GET /error
  27. 13:53:06.640 [http-nio-8080-exec-1] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - Set SecurityContextHolder to empty SecurityContext
  28. 13:53:06.640 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Set SecurityContextHolder to anonymous SecurityContext
  29. 13:53:06.640 [http-nio-8080-exec-1] DEBUG o.s.security.web.FilterChainProxy - Secured GET /error
  30. 13:53:06.645 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.DefaultWebInvocationPrivilegeEvaluator - filter invocation [/error] denied for AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
  31. org.springframework.security.access.AccessDeniedException: Access is denied
  32.     at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:73)
  33.     at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.isAllowed(DefaultWebInvocationPrivilegeEvaluator.java:100)
  34.     at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.isAllowed(DefaultWebInvocationPrivilegeEvaluator.java:67)
  35.     at org.springframework.boot.web.servlet.filter.ErrorPageSecurityFilter.isAllowed(ErrorPageSecurityFilter.java:88)
  36.     at org.springframework.boot.web.servlet.filter.ErrorPageSecurityFilter.doFilter(ErrorPageSecurityFilter.java:76)
  37.     at org.springframework.boot.web.servlet.filter.ErrorPageSecurityFilter.doFilter(ErrorPageSecurityFilter.java:70)
  38.     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
  39.     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
  40.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:327)
  41.     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
  42.     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:81)
  43.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  44.     at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:122)
  45.     at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:116)
  46.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  47.     at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:87)
  48.     at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:81)
  49.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  50.     at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:109)
  51.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  52.     at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:149)
  53.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  54.     at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
  55.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  56.     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:102)
  57.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  58.     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:102)
  59.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  60.     at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:237)
  61.     at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:223)
  62.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  63.     at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:219)
  64.     at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:213)
  65.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  66.     at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103)
  67.     at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89)
  68.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  69.     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:102)
  70.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  71.     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:102)
  72.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  73.     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:102)
  74.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  75.     at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110)
  76.     at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
  77.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  78.     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:102)
  79.     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
  80.     at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211)
  81.     at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183)
  82.     at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)
  83.     at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)
  84.     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
  85.     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
  86.     at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
  87.     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
  88.     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
  89.     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
  90.     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:102)
  91.     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
  92.     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
  93.     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:102)
  94.     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
  95.     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
  96.     at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:711)
  97.     at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:461)
  98.     at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:385)
  99.     at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:313)
  100.     at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:403)
  101.     at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:249)
  102.     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
  103.     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
  104.     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
  105.     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
  106.     at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
  107.     at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
  108.     at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:895)
  109.     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1732)
  110.     at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
  111.     at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
  112.     at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
  113.     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
  114.     at java.base/java.lang.Thread.run(Thread.java:829)
  115. 13:53:06.645 [http-nio-8080-exec-1] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - Did not store anonymous SecurityContext
  116. 13:53:06.645 [http-nio-8080-exec-1] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - Did not store anonymous SecurityContext
  117. 13:53:06.645 [http-nio-8080-exec-1] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - Cleared SecurityContextHolder to complete request

知道我哪里出错了吗?

Java

1条答案

按热度按时间
v1uwarro

v1uwarro1#

看起来你的Controller实际上被调用了,但发生了一个错误,Spring MVC将其路由到**/error**。然后Spring Security也会尝试保护**/error**,但会拒绝它,因为您没有身份验证。所以你的客户(curl)得到了一个401。如果你想确保在Controller中添加一些日志,或者在debug中运行,看看你的代码是否被调用。
要禁用内部重定向到/error,请参阅Spring Boot Disable /error mapping

赞(0)分享  回复(0)举报  2023-10-14
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com