stackoom
  简体   繁体   中英

Login page is not permitted in Spring Security

 原文  2020-01-20 07:59:10       java/ spring/ spring-security

Question

I have an application providing several REST endpoints and web pages as well.

/products    -- REST endpoint
/cutomers    -- REST endpoint
/ui/catalog  -- Web
/ui/admin    -- Web

I want to set up the security so all web starting with /ui/** are redirected to a login page and all the others (REST) are challenged with 401 and WWW-Authenticate .

With the following settings the login page is not permitted and 401 with the header is sent:

@Configuration
@Order(20)
@RequiredArgsConstructor
class RestConfigurationAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.requestMatcher(AnyRequestMatcher.INSTANCE)
                .authorizeRequests().anyRequest().fullyAuthenticated();

        httpSecurity.
                requiresChannel().
                requestMatchers(AnyRequestMatcher.INSTANCE).
                requiresSecure();
    }
}

@Configuration
@Order(10)
@RequiredArgsConstructor
class WebUIConfigurationAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.antMatcher("/ui/**")
                .authorizeRequests().anyRequest().authenticated()
                .and()
                .formLogin().loginPage("/login").permitAll()
                .and()
                .logout().permitAll();
    }
}

Why this doesn't work? I would expect to be redirected to the login page (it works) and the login page to be 200 (it doesn't work).

1 answers

solution1
 0 ACCPTED  2020-01-23 07:36:35

Editing the WebUIConfigurationAdapter as follows solves the problem:

httpSecurity.requestMatchers()
    .antMatchers("/ui/**", "/login", "/logout")
    .authorizeRequests().anyRequest().authenticated()
    .and()
    .formLogin().loginPage("/login").permitAll()
    .and()
    .logout().permitAll();

The URL /login is set by WebUIConfigurationAdapter so it is then excluded by RestConfigurationAdapter .

Thanks @PraveenKumarLalasangi for his comment.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Security Login Page In Spring Security config Urls which are permitted for all are not accessable and redirecting to login spring security redirect page login Spring Security simple login page cant login Spring Security - Cannot login with custom login page Custom Login Page for Spring Boot + Spring Security Spring mvc / security : excluding the login page from spring security Override Spring boot 2 security default login page Spring security only shows header of login page Spring security - can not get to the login page
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM