stackoom
  简体   繁体   中英

Spring Boot Security: How to skip login for localhost?

 原文  2021-01-29 17:04:29       java/ spring/ spring-security

Question

My working spring boot SecurityConfig currently looks like this:

    protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/css/**", "/js/**", "/img/**", "/error", "/webjars/**", "/login", "**/favicon.ico").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin().failureUrl("/login?state=badauth")
            .loginPage("/login")
            .loginProcessingUrl("/processLogin")
            .successHandler(successHandler())
            .failureHandler(failureHandler())
            .permitAll()
            .and()
            .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login?state=loggedout");
    ;
    }

I am trying to allow users on the localhost to gain access to all resources without logging in. I have tried to insert the following into various locations within the chain:

.antMatchers("/**").access("hasIpAddress(\"127.0.0.1\") or hasIpAddress(\"::1\")")

Which always causes non-localhost access to fail with a forbidden.

How can I bypass login for users on the localhost only?

3 answers

solution1
 1 ACCPTED  2021-02-01 20:39:00

Try this

DemoApplication.java 

@SpringBootApplication
public class DemoApplication {
    public static void main(String[] args) {
        SpringApplication.run(DemoApplication.class, args);
    }
}

TestController.java

@RestController
public class TestController {

    @GetMapping("/secured")
    public ResponseEntity secured() {
        return ResponseEntity.ok("Access granted");
    }

}

WebSecurityConfig.java 

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                .antMatchers("/**")
                .access("hasIpAddress('127.0.0.1') or hasIpAddress('::1') or isAuthenticated()")  // 127.0.0.1 and localhost do not need to authenticate on any url
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user").password(passwordEncoder().encode("password"))
                .authorities("ROLE_USER");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

solution2
 0  2021-01-29 17:39:44

Try to add hasIpAddress() before authenticated like this:

.antMatchers("/**").hasIpAddress("127.0.0.1").anyRequest().authenticated();

solution3
 0  2021-01-31 12:55:57

You can try disabling default security in Spring Boot by adding this line in application.properties file of your local/dev profile:
security.basic.enabled=false

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Skip Authentication for /login in spring boot Unable to skip the OncePerRequestFilter filter for a login url (basically to get the JWT token during the initial login)in spring boot security Spring Boot Security with Vaadin Login Cannot login with Spring Boot Security How to use spring boot security for custom login page without configuration? Custom Login Page for Spring Boot + Spring Security Spring Boot + Spring Security Restful Login Spring boot with spring security login form Spring-Boot Login without Spring Security Spring boot & Spring security always redirect to Login
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM