![](/img/trans.png)
[英]Spring Security user logged in but redirected to access denied page
[英]Access is denied spring security even when user is logged in
我在我的 web 应用程序中使用 spring 安全性,身份验证工作正常我在登录后被重定向到主页,登录的用户名显示在我的应用程序中,一切都很好,除了一件事。 我的应用程序中有一个上传方法,用户可以将视频上传到 azure 存储,然后将 url 保存在数据库中 这是上传方法
public String fileUpload(File fileUp, String fileN) {
try {
fileN = fileN.replace(" ", "_");
// Retrieve storage account from connection-string.
CloudStorageAccount storageAccount = CloudStorageAccount.parse(storageConnectionStringU);
// Create the blob client.
CloudBlobClient blobClient = storageAccount.createCloudBlobClient();
// Get a reference to a container.
// The container name must be lower case
CloudBlobContainer container = blobClient.getContainerReference("filescontainer");
System.out.println("exist " + container.exists());
// Create the container if it does not exist.
container.createIfNotExists();
// Allow Public Access
BlobContainerPermissions containerPermissions = new BlobContainerPermissions();
// Include public access in the permissions object.
containerPermissions.setPublicAccess(BlobContainerPublicAccessType.CONTAINER);
// Set the permissions on the container.
container.uploadPermissions(containerPermissions);
// Create or overwrite the blob with contents from a local file.
CloudBlockBlob blob = container.getBlockBlobReference(fileN);
ServiceProperties serviceProperties = blob.getServiceClient().downloadServiceProperties();
serviceProperties.setDefaultServiceVersion("2019-07-07");
blob.getServiceClient().uploadServiceProperties(serviceProperties);
/* // Plan B
* RequestOptions RequestOptions =
* blob.getServiceClient().getDefaultRequestOptions();
* // <Can Set Timeout Here>
* RequestOptions.setTimeoutIntervalInMs(?);
*/
// Used StreamWriteSize to break the file into blocks to avoid timeout
blob.setStreamWriteSizeInBytes(1024*1024);
FileInputStream in = new FileInputStream(fileUp);
blob.upload(in, fileUp.length());
return containerUrl+fileN;
} catch (Exception e) {
// Output the stack trace.
e.printStackTrace();
}
return "";
}
这是我上传的 controller
@PostMapping("/addVideo")
public String uploadMultipleFiles(@RequestParam("vdLength") String vdLength,
@RequestParam("files1") MultipartFile files1){
byte[] buffer = new byte[4096];
int readByteCount = 0;
VideoFile vd = new VideoFile();
File target = new File(ownerID + fileNameVd + "_" + date.getTime() + ".mp4");
try(BufferedInputStream in= new BufferedInputStream(files1.getInputStream());
FileOutputStream out = new FileOutputStream(target)) {
while((readByteCount = in.read(buffer)) != -1) {
out.write(buffer, 0, readByteCount);
}
out.close();
}
vd.setVideoURL(new UploadAzurController().fileUpload(target,ownerID + fileNameVd + "_" + date.getTime() + ".mp4"));
target.delete();
videoService.addVideo(vd);}
上传有时会工作,有时会显示 502 - Web 服务器在充当网关或代理服务器时收到无效响应。 我在堆栈跟踪中找到了这个:
2020-04-23T11:01:46.390408136Z 11:01:46.382 [http-nio-80-exec-3] 调试 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - 以前经过身份验证:org.springframework。 authentication.AnonymousAuthenticationToken@dab9512f:主体:anonymousUser; 凭证:[受保护]; 已认证:真实; 详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c:RemoteIpAddress:172.16.1.1; 会话ID:null; 授予权限:ROLE_ANONYMOUS 2020-04-23T11:01:46.391507942Z 11:01:46.391 [http-nio-80-exec-3] 调试 org.springframework.security.access.vote.AffirmativeBased - 投票者:org.springframework.security .web.access.expression.WebExpressionVoter@1928c84c, returned: -1 2020-04-23T11:01:46.393975556Z 11:01:46.393 [http-nio-80-exec-3] DEBUG org.springframework.security.web. access.ExceptionTranslationFilter - 访问被拒绝(用户是匿名的); 重定向到身份验证入口点 2020-04-23T11:01:46.393991456Z org.springframework.security.access.AccessDeniedException: Access is denied 2020-04-23T11:01:46.393996856Z at org.springframework.security.access.vote.AffirmativeBased .decide(AffirmativeBased.java:84) 2020-04-23T11:01:46.394001156Z at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) 2020-04-23T11:01:46.394005056Z at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) 2020-04-23T11:01:46.394008856Z at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter( FilterSecurityInterceptor.java:91) 2020-04-23T11:01:46.394012656Z at org.springframework.security.Z2567A5EC97 05EB7AC2C984033E06189DZ.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) 2020-04-23T11:01:46.394016356Z at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) 2020-04-23T11 :01:46.394020156Z at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) 2020-04-23T11:01:46.394023856Z at org.springframework.security.web.session.SessionManagementFilter.doFilter (SessionManagementFilter.java:137) 2020-04-23T11:01:46.394027656Z at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) 2020-04-23T11:01:46.394031356Z at or g.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) 2020-04-23T11:01:46.394035156Z at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334 ) 2020-04-23T11:01:46.394038956Z at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) 2020-04-23T11:01:46.394042856Z at org.springframework.security.web .FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) 2020-04-23T11:01:46.394046556Z at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.Z93F725A 07423FE1C889F448B33D21F46Z:63) 2020-04-23T11:01:46.394050356Z at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) 2020-04-23T11:01:46.394054756Z at org.springframework. security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) 2020-04-23T11:01:46.394058656Z at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) 2020-04 -23T11:01:46.394062356Z at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) 2020-04-23T11:01:46.394066156Z at org.springframework.security.web.FilterChainProxy $虚拟过滤器链。 doFilter(FilterChainProxy.java:334) 2020-04-23T11:01:46.394076756Z at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:74) 2020-04-23T11:01:46.394080756Z at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 2020-04-23T11:01:46.394084556Z at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) 2020 -04-23T11:01:46.394088256Z at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) 2020-04-23T11:01:46.394092156Z at org.springframework.security.web.F ilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) 2020-04-23T11:01:46.394095856Z at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) 2020-04 -23T11:01:46.394099656Z at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 2020-04-23T11:01:46.394103456Z at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:334) 2020-04-23T11:01:46.394107256Z at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) 2020-04-23T11:01:46.394110956Z at org.springframework .security.Z2567A5EC9705EB7AC 2C984033E06189DZ.FilterChainProxy.doFilter(FilterChainProxy.java:178) 2020-04-23T11:01:46.394114656Z at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) 2020-04-23T11:01:46.394118456 Z at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) 2020-04-23T11:01:46.394122156Z at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 2020 -04-23T11:01:46.394125856Z at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 2020-04-23T11:01:46.394129556Z at org.springframework.web.filter.RequestContextFilter.doFilterInternal (请求控制 textFilter.java:99) 2020-04-23T11:01:46.394133657Z at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 2020-04-23T11:01:46.394137457Z at org.apache. catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 2020-04-23T11:01:46.394141157Z at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 2020-04-23T11:01 :46.394144957Z at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:92) 2020-04-23T11:01:46.394148657Z at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107 ) 2020-04-23T11:01 :46.394152357Z at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 2020-04-23T11:01:46.394156057Z at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166 ) 2020-04-23T11:01:46.394159857Z at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93) 2020-04-23T11:01:46.394166457Z at org.springframework.web.filter.OncePerRequestFilter .doFilter(OncePerRequestFilter.java:107) 2020-04-23T11:01:46.394170157Z at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 2020-04-23T11:01:46.394173957Z at org .ZB6EFD606D118D0F62066E31419FF04 CCZ.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 2020-04-23T11:01:46.394177757Z at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200) 2020-04-23T11 :01:46.394181757Z at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) 2020-04-23T11:01:46.394185657Z at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java :490) 2020-04-23T11:01:46.394189357Z at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) 2020-04-23T11:01:46.394193057Z at org.apache.catalina.valves .ErrorReportValve.invoke(ErrorReportValve.java:92) 2020-04-23T11:01:4 6.394196757Z at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) 2020-04-23T11:01:46.394200457Z at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) 2020-04-23T11:01:46.394204057Z at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) 2020-04-23T11:01:46.394207857Z at org.apache.coyote.AbstractProcessorLight.process( AbstractProcessorLight.java:66) 2020-04-23T11:01:46.394211557Z at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834) 2020-04-23T11:01:46.394215157Z at org.apache. tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEnd point.java:1415) 2020-04-23T11:01:46.394219357Z at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) 2020-04-23T11:01:46.394223057Z at java. util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 2020-04-23T11:01:46.394226757Z at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 2020-04-23T11:01 :46.394230457Z at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) 2020-04-23T11:01:46.394234257Z at java.lang.Thread.run(Thread.java:748 )
这是我的 sping 安全配置 class
@EnableWebSecurity
@Configuration
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter implements WebMvcConfigurer {
@Autowired
@Qualifier("datasource")
private DataSource dataSource;
public static Boolean anon;
@Value("${role.anonymous}")
public void setAnon(Boolean anon) {
this.anon = anon;
}
// Secure the endpoins with HTTP Basic authentication
@Override
protected void configure(HttpSecurity http) throws Exception {
if (anon) {
http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/Search/**").permitAll();
}
http.authorizeRequests()
.antMatchers("/manager*").hasAnyAuthority("ADMIN", "MANAGER")
.antMatchers("/uploadFile").hasAnyAuthority("ADMIN", "MANAGER")
.antMatchers("/resources/**").permitAll()
.antMatchers("/api/**").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers("/footer**").permitAll()
.antMatchers("/header**").permitAll()
.antMatchers("/login*").permitAll()
.anyRequest().authenticated()
.and().csrf().disable().formLogin()
.loginPage("/login").defaultSuccessUrl("/");
}
@Bean
@Override
public UserDetailsService userDetailsServiceBean() {
try {
return super.userDetailsServiceBean();
} catch (Exception e) {
throw new RuntimeException(e);
}
}
@Bean
public SwitchUserFilter switchUserFilter() {
SwitchUserFilter filter = new SwitchUserFilter();
filter.setUserDetailsService(userDetailsServiceBean());
filter.setUsernameParameter("username");
filter.setSwitchUserUrl("/switch_user");
filter.setExitUserUrl("/switch_user_exit");
filter.setTargetUrl("/");
return filter;
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource).authoritiesByUsernameQuery(
"Select auth.username, auth.authority , 1 as enabled from (select A.username, A.authority from admin as A UNION select M.username, M.authority from manager as M UNION select U.username, U.authority from user as U UNION select R.username, R.authority from readeruser as R) auth WHERE auth.username = ? ")
.usersByUsernameQuery(
"Select auth.username, auth.password , 1 as enabled from (select A.username, A.password ,1 as enabled from admin as A UNION select M.username, M.password ,1 as enabled from manager as M UNION select U.username, U.password ,1 as enabled from user as U UNION select R.username, R.password ,1 as enabled from readeruser as R) auth WHERE auth.username = ? ");
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
StrictHttpFirewall firewall = new StrictHttpFirewall();
firewall.setAllowUrlEncodedSlash(true);
return firewall;
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/*.css");
web.ignoring().antMatchers("/*.js");
web.ignoring().antMatchers("/*.png");
web.ignoring().antMatchers("/videos/*.mp4");
web.ignoring().antMatchers("/videos/*.png");
web.ignoring().antMatchers("/videos/*.vtt");
web.httpFirewall(allowUrlEncodedSlashHttpFirewall());
}
@Bean
public CorsFilter corsFilter() {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
final CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*"); // this allows all origin
config.addAllowedHeader("*"); // this allows all headers
config.addAllowedMethod("OPTIONS");
config.addAllowedMethod("HEAD");
config.addAllowedMethod("GET");
config.addAllowedMethod("PUT");
config.addAllowedMethod("POST");
config.addAllowedMethod("DELETE");
config.addAllowedMethod("PATCH");
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**");
}
}
上传失败后,我 go 到应用程序我发现用户仍然登录。我希望我提供了所有需要的信息,以便你能帮助我。
尝试增加文件大小上传。
#### File upload config ####
spring.servlet.multipart.max-file-size=xxMB/GB/etc
spring.servlet.multipart.max-request-size=xxMB/GB/etc
我的问题是因为应用程序托管在 azure 服务上,并且请求超时 230 秒无法更改,所以我将上传方法更改为异步上传,现在一切正常。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.