堆棧內存溢出
  簡體   English   中英

Spring-boot 的安全配置

[英]Security configuration with Spring-boot

 原文  2014-09-02 22:36:59       java/ spring-mvc/ spring-security/ spring-boot

問題描述

我為 Spring-Boot 創建了 Spring 安全配置 class。 我的登錄頁面有資源css、js和ico文件。 出於安全原因,資源被拒絕並每次都重定向到登錄頁面。 為什么 EnableWebMVCSecurity 不添加 Classpath 資源位置。 在第二個片段中更改代碼后,添加了 I Classpath 資源位置。 不明白我在第一個代碼片段中缺少什么資源。


@Configuration

/*
 * Enable Spring Security’s web security support and provide the Spring MVC integration
 * It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration.
 */
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

/**
 * The configure(HttpSecurity) method defines with URL paths should be 
     * secured and which should not. 
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeRequests()
            .anyRequest().authenticated();

//      There is a custom "/login" page specified by loginPage(), and everyone 
//      is allowed to view it.      
        http
            .formLogin()
                .loginPage("/login.html")
                .permitAll()
                .and()
            .logout()
                .permitAll().logoutSuccessUrl("/login.html");
    }

    @Configuration
    protected static class AuthenticationConfiguration extends
            GlobalAuthenticationConfigurerAdapter {
        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
//          As for the configure(AuthenticationManagerBuilder) method, it sets up 
//          an in-memory user store with a single user. That user is given a 
//          username of "user", a password of "password", and a role of "USER".
            auth
                    .inMemoryAuthentication()
                    .withUser("user@domain.com").password("password").roles("USER");
        }
   }

我通過將代碼更改為


@Configuration
/*
 * Enable Spring Security’s web security support and provide the Spring MVC integration
 * It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration.
 */
public class WebSecurityConfig{

    @Bean
    public ApplicationSecurity applicationSecurity() {
        return new ApplicationSecurity();
    }

    @Bean
    public AuthenticationSecurity authenticationSecurity() {
        return new AuthenticationSecurity();
    }

    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
    protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
            .authorizeRequests()
                .anyRequest().authenticated();
            http
                .formLogin()
                    .loginPage("/login.html")
                    .permitAll()
                    .and()
                .logout()
                    .permitAll().logoutSuccessUrl("/login.html");

        }
    }

    @Order(Ordered.HIGHEST_PRECEDENCE + 10)
    protected static class AuthenticationSecurity extends
            GlobalAuthenticationConfigurerAdapter {
        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
            auth
            .inMemoryAuthentication()
            .withUser("user@domain.com").password("password").roles("USER");

        }
    }   
}

更改代碼后,我注意到忽略路徑已添加到過濾器中,並且在日志中看到以下內容:

[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/css/**'], []
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/js/**'], []
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/images/**'], []
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/**/favicon.ico'], []
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4e3e0069, org.springframework.security.web.context.SecurityContextPersistenceFilter@3d2dd0cf, org.springframework.security.web.header.HeaderWriterFilter@33fc3b02, org.springframework.security.web.csrf.CsrfFilter@9b7a3ac, org.springframework.security.web.authentication.logout.LogoutFilter@267237ef, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@129495ef, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@7db0a467, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@764d1dbd, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@25a5268d, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@15c01d0c, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@37818a3b, org.springframework.security.web.session.SessionManagementFilter@3fe57e49, org.springframework.security.web.access.ExceptionTranslationFilter@4278af59, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@424bef91]

3 個解決方案

解決方案1
 10 已采納  2014-09-03 06:13:04

根據您在第一個示例中使用@EnableWebSecurity禁用spring boot autoconf的文檔 ,因此您必須手動顯式忽略所有靜態資源。 在第二個示例中,您只需提供一個WebSecurityConfigurer ,它在默認的autoconfig之上是附加的。

解決方案2
 3  2016-08-02 06:47:11

創建一個擴展配置文件WebSecurityConfigurerAdapter和注釋與類@EnableWebSecurity

您可以覆蓋configure(HttpSecurity http)來添加基本安全性,如下所示 

@Configuration
@EnableWebSecurity
public class AppWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {    
        http
            .csrf().disable()
            .authorizeRequests()
                .anyRequest().permitAll();
        }
}

解決方案3
 0  2019-06-10 05:24:45

通過在安全配置中為css和js傳遞安全性,添加以下方法 - 

 @Override
    public void configure(WebSecurity web) throws Exception {
       web.ignoring().antMatchers("/css/** **","/js/** **");
    }

解決方案4
 0  2022-08-27 11:40:58

// spring 啟動 2.7.0 + 更改為 spring 安全

@Configuration
public class SecurityConfiguration {

    @Bean
    UserDetailsService userDetailsService() {

        return new MyUserDetailsService(); // to be created
    }

    @Bean
    BCryptPasswordEncoder passwordEncoder() {

        return new BCryptPasswordEncoder();
    }

    @Bean
    DaoAuthenticationProvider authenticationProvider() {

        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();

        authProvider.setUserDetailsService(userDetailsService());

        authProvider.setPasswordEncoder(passwordEncoder());

        return authProvider;
    }

    @Bean
    SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

        http.authenticationProvider(authenticationProvider()); 
    
        http.authorizeRequests()...;

        http.authorizeRequests().and().rememberMe().userDetailsService(userDetailsService()); // important
    
        http.authorizeRequests()...;

        return http.build();
    }
    
}

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 春季啟動配置 OpenJPA和Spring-boot配置 Spring-Boot中的LOG配置 使用maven配置進行Spring-boot 帶有 Tapestry 配置的 Spring-boot 彈簧引導彈簧安全angularjs 沒有 Spring Security 的 Spring-Boot 登錄 如何通過Spring-boot 1.3.0.RC1為oauth2提供自定義安全配置 Spring-Boot:在Java代碼配置(不是XML)中指定REALM(安全性約束和角色)和CLIENT-CERT身份驗證? spring-boot依賴項和安全修復程序
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM