Spring-boot 的安全配置

Question

I created a Spring Security configuration class for Spring-Boot. My login page has resources css, js and ico files. The resources are getting denied for security reasons and redirected to login page each time. Why does EnableWebMVCSecurity not add the Classpath resource location. After changing the code as in the second snippet the I Classpath resource location is added. dont understand what I am missing for the resources in the first code snippet.

@Configuration

/*
 * Enable Spring Security’s web security support and provide the Spring MVC integration
 * It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration.
 */
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

/**
 * The configure(HttpSecurity) method defines with URL paths should be 
     * secured and which should not. 
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeRequests()
            .anyRequest().authenticated();

//      There is a custom "/login" page specified by loginPage(), and everyone 
//      is allowed to view it.      
        http
            .formLogin()
                .loginPage("/login.html")
                .permitAll()
                .and()
            .logout()
                .permitAll().logoutSuccessUrl("/login.html");
    }

    @Configuration
    protected static class AuthenticationConfiguration extends
            GlobalAuthenticationConfigurerAdapter {
        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
//          As for the configure(AuthenticationManagerBuilder) method, it sets up 
//          an in-memory user store with a single user. That user is given a 
//          username of "user", a password of "password", and a role of "USER".
            auth
                    .inMemoryAuthentication()
                    .withUser("user@domain.com").password("password").roles("USER");
        }
   }

I got this working by changing the code to

@Configuration
/*
 * Enable Spring Security’s web security support and provide the Spring MVC integration
 * It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration.
 */
public class WebSecurityConfig{

    @Bean
    public ApplicationSecurity applicationSecurity() {
        return new ApplicationSecurity();
    }

    @Bean
    public AuthenticationSecurity authenticationSecurity() {
        return new AuthenticationSecurity();
    }

    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
    protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
            .authorizeRequests()
                .anyRequest().authenticated();
            http
                .formLogin()
                    .loginPage("/login.html")
                    .permitAll()
                    .and()
                .logout()
                    .permitAll().logoutSuccessUrl("/login.html");

        }
    }

    @Order(Ordered.HIGHEST_PRECEDENCE + 10)
    protected static class AuthenticationSecurity extends
            GlobalAuthenticationConfigurerAdapter {
        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
            auth
            .inMemoryAuthentication()
            .withUser("user@domain.com").password("password").roles("USER");

        }
    }   
}

After changing the code I noticed that the Ignore paths were added to the filter and I see the following in logs:

[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/css/**'], []
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/js/**'], []
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/images/**'], []
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/**/favicon.ico'], []
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4e3e0069, org.springframework.security.web.context.SecurityContextPersistenceFilter@3d2dd0cf, org.springframework.security.web.header.HeaderWriterFilter@33fc3b02, org.springframework.security.web.csrf.CsrfFilter@9b7a3ac, org.springframework.security.web.authentication.logout.LogoutFilter@267237ef, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@129495ef, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@7db0a467, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@764d1dbd, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@25a5268d, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@15c01d0c, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@37818a3b, org.springframework.security.web.session.SessionManagementFilter@3fe57e49, org.springframework.security.web.access.ExceptionTranslationFilter@4278af59, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@424bef91]

Answer 1

Per the docs you have disabled the spring boot autoconfig in the first example by using @EnableWebSecurity , so you would have to explicitly ignore all the static resources manually. In the second example you simply provide a WebSecurityConfigurer which is additive on top of the default autoconfig.

Answer 2

Create a Configuration file that extends WebSecurityConfigurerAdapter and annotate the class with @EnableWebSecurity

You can override methods like configure(HttpSecurity http) to add basic security like below

@Configuration
@EnableWebSecurity
public class AppWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {    
        http
            .csrf().disable()
            .authorizeRequests()
                .anyRequest().permitAll();
        }
}

Answer 3

Add below method to by pass security for css and js in security config -

 @Override
    public void configure(WebSecurity web) throws Exception {
       web.ignoring().antMatchers("/css/** **","/js/** **");
    }

Answer 4

// spring boot 2.7.0 + changes with spring security

@Configuration
public class SecurityConfiguration {

    @Bean
    UserDetailsService userDetailsService() {

        return new MyUserDetailsService(); // to be created
    }

    @Bean
    BCryptPasswordEncoder passwordEncoder() {

        return new BCryptPasswordEncoder();
    }

    @Bean
    DaoAuthenticationProvider authenticationProvider() {

        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();

        authProvider.setUserDetailsService(userDetailsService());

        authProvider.setPasswordEncoder(passwordEncoder());

        return authProvider;
    }

    @Bean
    SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

        http.authenticationProvider(authenticationProvider()); 
    
        http.authorizeRequests()...;

        http.authorizeRequests().and().rememberMe().userDetailsService(userDetailsService()); // important
    
        http.authorizeRequests()...;

        return http.build();
    }
    
}