[英]"status": 403, "error": "Forbidden" "message": "Access Denied" in postman spring boot code
[英]Access Denied (Status 403) error message trying to access index.html file declared in Spring Boot project
我正在使用Spring Security
开发一个Spring Boot
项目,我在尝试允许访问在我的项目中声明的测试index.html
页面时遇到以下问题。
基本上我有以下情况。 在我的项目中,我有这个文件夹: src/main/resources/static
文件夹,其中包含index.html
文件。
Spring Boot
Tomcat
服务器运行在8019
端口,实际上这是启动日志:
[2m2022-02-17 17:04:06.882[0;39m [32m INFO[0;39m [35m16062[0;39m [2m---[0;39m [2m[ restartedMain][0;39m [36mo.s.b.w.embedded.tomcat.TomcatWebServer [0;39m [2m:[0;39m Tomcat started on port(s): 8019 (http) with context path ''
所以我尝试在我的浏览器中运行这个index.html
文件打开这个 URL: http://localhost:8019/index.html
但我收到此错误消息:
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu Feb 17 17:03:54 CET 2022
There was an unexpected error (type=Forbidden, status=403).
Access Denied
我还尝试在我的Spring Security
配置 class 中添加一个permitAll()
规则,这个:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("customUserDetailsService")
private UserDetailsService userDetailsService;
@Autowired
private JwtConfig jwtConfig;
@Autowired
private JwtTokenUtil jwtTokenUtil;
//private static final String[] USER_MATCHER = { "/api/utenti/cerca/**"};
//private static final String[] ADMIN_MATCHER = { "/api/utenti/inserisci/**", "/api/utenti/elimina/**" };
private static final String[] USER_MATCHER = { "/api/users/email/**"};
private static final String[] ADMIN_MATCHER = {
"/api/users/email/**",
"/api/admin/**"
};
private static final String[] COMMON_MATCHER = {
"/api/admin/user/{id}/wallet"
};
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
{
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception
{
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
/*
* NOTE:
* Using hasRole expects the authority names to start with 'ROLE_' prefix
* Instead, we use hasAuthority as we can use the names as it is
*/
http.csrf().disable()
.authorizeRequests()
.antMatchers(USER_MATCHER).hasAnyAuthority("CLIENT")
.antMatchers(COMMON_MATCHER).hasAnyAuthority("ADMIN","CLIENT")
.antMatchers(ADMIN_MATCHER).hasAnyAuthority("ADMIN")
.antMatchers("/api/users/test").authenticated()
.antMatchers(HttpMethod.GET, "http://localhost:8019/index.html").permitAll()
.antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll()
.anyRequest().denyAll()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(
new TokenVerificationFilter(authenticationManager(), jwtConfig, jwtTokenUtil),UsernamePasswordAuthenticationFilter.class);
}
/* To allow Pre-flight [OPTIONS] request from browser */
@Override
public void configure(WebSecurity web)
{
web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
web.ignoring().antMatchers("/swagger-ui/**",
"/webjars/**",
"/v2/**",
"/swagger-resources/**",
"/swagger-ui.html");
}
@Bean
public BCryptPasswordEncoder passwordEncoder()
{
return new BCryptPasswordEncoder();
};
}
所以你可以看到我添加了这个配置行:
.antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll()
但它不起作用,我仍然无法访问此 URL 以及我的index.html
文件中包含的页面。
禁用 Spring Security 它工作正常所以问题一定在 Spring Security 配置中
我在您的配置中看到可能导致此问题的两件事。 首先,您要添加自定义过滤器,如果该过滤器在响应中设置 403,则配置的 rest 将不适用,因此请检查TokenVerificationFilter
中的doFilter
方法。
另一个罪魁祸首可能在您的匹配器中,您在其中不仅包含路径,还包含协议、主机和端口。 将此匹配器限制为仅/index.html
,您应该已设置好。
另外,以您的方式提出另一种解决方案...您的public void configure(WebSecurity web)
方法中已经有一个忽略部分,只需将/index.html
添加到您的忽略列表中,这实际上就是您想要的无论如何:)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.