Spring Boot 提供被安全阻止的静态内容
[英]Spring Boot serving static content blocked by security
问题描述
I started Spring Boot + Angular application and for now I want to deploy whole thing as a jar.
我启动了 Spring Boot + Angular 应用程序,现在我想将整个应用程序部署为 jar。 So I created maven config, where angular app gets built and then is copied to /target/classes/resources所以我创建了 maven 配置,在其中构建了 angular 应用程序,然后将其复制到 /target/classes/resources
But every request to root (localhost:8080) gets blocked by security.但是对 root (localhost:8080) 的每个请求都会被安全阻止。 When I disable it i can see the page, which means the whole thing is deployed correctly, but somehow spring does not allow me to see it.当我禁用它时,我可以看到页面,这意味着整个事情都已正确部署,但不知何故,spring 不允许我看到它。 Here is my simple security config, I want static resources to be unprotected, while any other request requires authentication:这是我的简单安全配置,我希望静态资源不受保护,而任何其他请求都需要身份验证:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.anyRequest().authenticated()
.and().httpBasic();
}
}
EDIT: A minimal example of my problem is here: https://gitlab.com/jnowacki/security-issue-demo编辑:我的问题的一个最小例子在这里: https : //gitlab.com/jnoacki/security-issue-demo
EDIT 2: I tries all the things from this post: Serving static web resources in Spring Boot & Spring Security application Do I do something wrong on a conceptual level?编辑 2:我尝试了这篇文章中的所有内容: 在 Spring Boot 和 Spring Security 应用程序中提供静态 Web 资源我在概念层面做错了吗? Is it wrong to serve static content along with Spring Boot app?与 Spring Boot 应用程序一起提供静态内容是错误的吗?
6 个解决方案
解决方案1
3 2018-12-04 14:23:15
Add this additional override:添加这个额外的覆盖:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers(AUTH_WHITELIST);
}
where AUTH_WHITELIST will contain the paths to be ignored.其中AUTH_WHITELIST将包含要忽略的路径。 For instance:例如:
private static final String[] SWAGGER_AUTH_WHITELIST = {
// -- swagger ui
"/v2/api-docs",
"/swagger-resources",
"/swagger-resources/**",
"/swagger-ui.html",
"/resources/**"
};
解决方案2
1 2018-12-04 14:22:34
try below.下面试试。
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**");
}
Refer spring-securitys-antmatcher参考spring-securitys-antmatcher
解决方案3
0 2018-12-04 14:24:25
Use this method to allow static resources to be ignored by spring security使用这个方法可以让spring security忽略静态资源
//this method allows static resources to be neglected by spring security
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**", "/static/**");
}
解决方案4
0 2018-12-06 01:21:28
According to StaticResourceLocation docs :根据StaticResourceLocation 文档:
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
will permit access to CSS, JS, ICO, images and NOT to html .将允许访问 CSS、JS、ICO、图像而不是 html 。
To permit index.html you can use following configuration:要允许index.html您可以使用以下配置:
http.authorizeRequests()
.antMatchers("/index.html", "/").permitAll()
.anyRequest().authenticated()
.and().httpBasic();
解决方案5
0 2019-12-23 14:41:16
// extends WebSecrityConfiguratesAdapeter // 扩展 WebSecrityConfiguratesAdapeter
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Overide
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers(HttpMethod.OPTIONS, ALL_ESCAPE)
.antMatchers("*.js")
.antMatchers(")
.antMatchers(BOWER_COMPONENTS)
.antMatchers(I18N)
.antMatchers(CONTENT);
}
}
解决方案6
0 2020-08-19 10:21:48
you must match real path, or example:您必须匹配真实路径,或者例如:
.pathMatchers("/assets/**", "/static/**")
.permitAll()ere
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.