如何使用 Spring Security 修复对资源的访问?
[英]How to fix access to resources using spring security?
问题描述
I just copied login/register form with spring security from web and i have huge problems.
我刚刚从 web 复制了带有 Spring Security 的登录/注册表单,但我遇到了大问题。 I want make all resources PUBLIC for all, because after 5 hours i totally don't know what is f****** going on with this spring security.我想让所有人都公开所有资源,因为 5 个小时后,我完全不知道这个春季安全发生了什么。
Ok here is my configure method 1:好的,这是我的配置方法1:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
...
...
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// URLs matching for access rights
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/register").permitAll()
.antMatchers("/DBDesign").permitAll()
.antMatchers("/index").permitAll()
.antMatchers("/admin/**").hasAuthority("ADMIN")
.antMatchers("/user/**").hasAuthority("USER")
.anyRequest().authenticated()
.and()
// form login
.csrf().disable().formLogin()
.loginPage("/login")
.failureUrl("/login?error=true")
.successHandler(sucessHandler)
.usernameParameter("email")
.passwordParameter("password")
.and()
// logout
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/").and()
.exceptionHandling()
.accessDeniedPage("/access-denied");
}
configuration method 2:配置方法二:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**", "/static/**", "/common/**", "/js/**", "/images/**");
}
}
configuration method 3:配置方法三:
@Configuration
public class WebMvcConfig implements WebMvcConfigurer{
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry
.addResourceHandler("/webjars/**", "/static/**", "/templates/**")
.addResourceLocations("/webjars/", "classpath:/static/", "classpath:/templates/");
}
}
I am 100% sure that one of these methods is responsible for managing the directories that are to be available before logging in and which are not.我 100% 确信这些方法之一负责管理登录前可用和不可用的目录。 Guys please can someone explain how exactly this work?伙计们,有人可以解释一下这是如何工作的吗? Look this is my temporary file structure:看这是我的临时文件结构:
green --- i have access绿色 --- 我可以访问
red --- i dont have access红色 --- 我没有访问权限
I can copy and paste path to "green" files and see what is inside, but if i am trying to do the same thing for red files... error 404. How is this possible?我可以将路径复制并粘贴到“绿色”文件并查看其中的内容,但是如果我尝试对红色文件执行相同的操作...错误 404。这怎么可能? Only those 2x dont have permission.只有那些 2x 没有权限。
1 个解决方案
解决方案1
1 已采纳 2019-12-30 16:35:01
The resourcehandler /static/** points to classpath:/static/资源处理程序/static/**指向classpath:/static/
So the security-filter should ignore requests to /sidebar/** , ....所以安全过滤器应该忽略对/sidebar/**请求,....
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/sidebar/**","/diagramER/**", .....);
}
Then you can use in your pages something like然后你可以在你的页面中使用类似的东西
<html lang="en">
<head>
....
<script src="/sidebar/js/main.js" ></script>
<script src="/diagramER/DBDesign.js" ></script>
<link rel="stylesheet" type="text/css" href="/sidebar/common/style.css">
</head>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.