[英]Spring boot - return 403 Forbidden instead of redirect to login page
[英]Spring Boot returns login page instead of styles
我有一個Spring Boot應用程序,由於某種原因,從客戶端到css
文件的每個請求都會收到登錄頁面的HTML作為響應。 無錯誤,無重定向,狀態為200,HTML為響應正文。 可能是什么原因呢?
登錄頁面:
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:th="http://www.w3.org/1999/xhtml">
<head>
<meta charset="UTF-8">
<title>Sign in</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"
integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css"
integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous">
<link th:href="@{/css/login.css}" rel="stylesheet" media="screen"/>
</head>
<body>
<div class="input-group outlet">
<p>Sign in</p>
<form th:action="@{/login}" method="post">
<div><input name="username"/></div>
<div><input name="password" type="password"/></div>
<div>
<button type="submit">Login</button>
</div>
<div th:if="${loginError}"><p>Invalid username or password</p></div>
</form>
</div>
</body>
</html>
安全配置:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private PasswordEncoder passwordEncoder;
//TODO: fix this
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**", "/css/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/welcome")
.failureUrl("/login-error")
.permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.passwordEncoder(passwordEncoder)
.withUser("user").password("password").roles("USER");
}
@Bean
PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
}
登錄控制器:
@Controller("login")
public class LoginController {
@GetMapping
public String login() {
return "login";
}
@PostMapping
public String postLogin() {
// TODO
return "/welcome";
}
@GetMapping("/login-error")
public String loginError(Model model) {
model.addAttribute("loginError", true);
return "login";
}
}
響應頭:
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Language:en-US
Content-Type:text/css;charset=UTF-8
Date:Thu, 23 Nov 2017 17:17:59 GMT
Expires:0
Pragma:no-cache
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
UPD:需要注意的重要一點是,如果我不明確地在/ css / **上使用allowAll(),那么我會得到302並重定向到登錄頁面。 如果這樣做,則響應正文中將顯示200和登錄頁面的內容,而不是CSS文件的實際內容
UPD 2:在請求到登錄頁面期間從spring security調試日志,該日志應具有以下樣式:
2017-11-24 17:43:33.926 DEBUG 4088 --- [io-1488-exec-10] o.s.security.web.FilterChainProxy : /login at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-11-24 17:43:33.927 DEBUG 4088 --- [io-1488-exec-10] o.s.security.web.FilterChainProxy : /login at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-11-24 17:43:33.938 DEBUG 4088 --- [io-1488-exec-10] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2017-11-24 17:43:33.938 DEBUG 4088 --- [io-1488-exec-10] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2017-11-24 17:43:33.941 DEBUG 4088 --- [io-1488-exec-10] o.s.security.web.FilterChainProxy : /login at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-11-24 17:43:33.942 DEBUG 4088 --- [io-1488-exec-10] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@f14213c
2017-11-24 17:43:33.942 DEBUG 4088 --- [io-1488-exec-10] o.s.security.web.FilterChainProxy : /login at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2017-11-24 17:43:33.943 DEBUG 4088 --- [io-1488-exec-10] o.s.security.web.FilterChainProxy : /login at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2017-11-24 17:43:33.944 DEBUG 4088 --- [io-1488-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /login' doesn't match 'POST /logout
2017-11-24 17:43:33.944 DEBUG 4088 --- [io-1488-exec-10] o.s.security.web.FilterChainProxy : /login at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2017-11-24 17:43:33.944 DEBUG 4088 --- [io-1488-exec-10] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /login' doesn't match 'POST /login
2017-11-24 17:43:33.944 DEBUG 4088 --- [io-1488-exec-10] o.s.security.web.FilterChainProxy : /login at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2017-11-24 17:43:33.944 DEBUG 4088 --- [io-1488-exec-10] o.s.security.web.FilterChainProxy : /login at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-11-24 17:43:33.946 DEBUG 4088 --- [io-1488-exec-10] o.s.security.web.FilterChainProxy : /login at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2017-11-24 17:43:33.947 DEBUG 4088 --- [io-1488-exec-10] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2017-11-24 17:43:33.947 DEBUG 4088 --- [io-1488-exec-10] o.s.security.web.FilterChainProxy : /login at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2017-11-24 17:43:33.947 DEBUG 4088 --- [io-1488-exec-10] o.s.s.w.session.SessionManagementFilter : Requested session ID 3A4BF8C25F0B7B63F9906222B94C800A is invalid.
2017-11-24 17:43:33.948 DEBUG 4088 --- [io-1488-exec-10] o.s.security.web.FilterChainProxy : /login at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-11-24 17:43:33.948 DEBUG 4088 --- [io-1488-exec-10] o.s.security.web.FilterChainProxy : /login at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-11-24 17:43:33.950 DEBUG 4088 --- [io-1488-exec-10] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /login; Attributes: [permitAll]
2017-11-24 17:43:33.955 DEBUG 4088 --- [io-1488-exec-10] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2017-11-24 17:43:33.963 DEBUG 4088 --- [io-1488-exec-10] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@7f46f895, returned: 1
2017-11-24 17:43:33.963 DEBUG 4088 --- [io-1488-exec-10] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2017-11-24 17:43:33.963 DEBUG 4088 --- [io-1488-exec-10] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2017-11-24 17:43:33.963 DEBUG 4088 --- [io-1488-exec-10] o.s.security.web.FilterChainProxy : /login reached end of additional filter chain; proceeding with original chain
2017-11-24 17:43:34.826 DEBUG 4088 --- [io-1488-exec-10] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2017-11-24 17:43:34.862 DEBUG 4088 --- [io-1488-exec-10] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2017-11-24 17:43:34.862 DEBUG 4088 --- [io-1488-exec-10] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2017-11-24 17:43:35.015 DEBUG 4088 --- [nio-1488-exec-9] o.s.security.web.FilterChainProxy : /css/login.css at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-11-24 17:43:35.015 DEBUG 4088 --- [nio-1488-exec-9] o.s.security.web.FilterChainProxy : /css/login.css at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-11-24 17:43:35.015 DEBUG 4088 --- [nio-1488-exec-9] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2017-11-24 17:43:35.016 DEBUG 4088 --- [nio-1488-exec-9] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@7582e3b6. A new one will be created.
2017-11-24 17:43:35.016 DEBUG 4088 --- [nio-1488-exec-9] o.s.security.web.FilterChainProxy : /css/login.css at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-11-24 17:43:35.016 DEBUG 4088 --- [nio-1488-exec-9] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@f14213c
2017-11-24 17:43:35.016 DEBUG 4088 --- [nio-1488-exec-9] o.s.security.web.FilterChainProxy : /css/login.css at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2017-11-24 17:43:35.016 DEBUG 4088 --- [nio-1488-exec-9] o.s.security.web.FilterChainProxy : /css/login.css at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2017-11-24 17:43:35.016 DEBUG 4088 --- [nio-1488-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /css/login.css' doesn't match 'POST /logout
2017-11-24 17:43:35.016 DEBUG 4088 --- [nio-1488-exec-9] o.s.security.web.FilterChainProxy : /css/login.css at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2017-11-24 17:43:35.017 DEBUG 4088 --- [nio-1488-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /css/login.css' doesn't match 'POST /login
2017-11-24 17:43:35.017 DEBUG 4088 --- [nio-1488-exec-9] o.s.security.web.FilterChainProxy : /css/login.css at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2017-11-24 17:43:35.017 DEBUG 4088 --- [nio-1488-exec-9] o.s.security.web.FilterChainProxy : /css/login.css at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-11-24 17:43:35.017 DEBUG 4088 --- [nio-1488-exec-9] o.s.security.web.FilterChainProxy : /css/login.css at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2017-11-24 17:43:35.017 DEBUG 4088 --- [nio-1488-exec-9] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: EACE11EC21F40FE5BD10CC56F71C0DD3; Granted Authorities: ROLE_ANONYMOUS'
2017-11-24 17:43:35.017 DEBUG 4088 --- [nio-1488-exec-9] o.s.security.web.FilterChainProxy : /css/login.css at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2017-11-24 17:43:35.017 DEBUG 4088 --- [nio-1488-exec-9] o.s.security.web.FilterChainProxy : /css/login.css at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-11-24 17:43:35.017 DEBUG 4088 --- [nio-1488-exec-9] o.s.security.web.FilterChainProxy : /css/login.css at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-11-24 17:43:35.017 DEBUG 4088 --- [nio-1488-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/css/login.css'; against '/css/**'
2017-11-24 17:43:35.019 DEBUG 4088 --- [nio-1488-exec-9] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /css/login.css; Attributes: [permitAll]
2017-11-24 17:43:35.019 DEBUG 4088 --- [nio-1488-exec-9] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8940c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: EACE11EC21F40FE5BD10CC56F71C0DD3; Granted Authorities: ROLE_ANONYMOUS
2017-11-24 17:43:35.021 DEBUG 4088 --- [nio-1488-exec-9] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@7f46f895, returned: 1
2017-11-24 17:43:35.021 DEBUG 4088 --- [nio-1488-exec-9] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2017-11-24 17:43:35.021 DEBUG 4088 --- [nio-1488-exec-9] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2017-11-24 17:43:35.021 DEBUG 4088 --- [nio-1488-exec-9] o.s.security.web.FilterChainProxy : /css/login.css reached end of additional filter chain; proceeding with original chain
2017-11-24 17:43:35.031 DEBUG 4088 --- [nio-1488-exec-9] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2017-11-24 17:43:35.033 DEBUG 4088 --- [nio-1488-exec-9] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2017-11-24 17:43:35.033 DEBUG 4088 --- [nio-1488-exec-9] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
UPD 3: MVC的調試日志似乎很login.css
,為什么它將映射login.css
的請求login.css
到我的登錄控制器?
2017-11-24 19:05:13.967 DEBUG 27408 --- [nio-1488-exec-9] o.s.web.servlet.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/css/login.css]
2017-11-24 19:05:13.967 DEBUG 27408 --- [nio-1488-exec-9] s.w.s.m.m.a.RequestMappingHandlerMapping : Looking up handler method for path /css/login.css
2017-11-24 19:05:13.968 DEBUG 27408 --- [nio-1488-exec-9] s.w.s.m.m.a.RequestMappingHandlerMapping : Returning handler method [public java.lang.String zhi.yest.furniture.controller.LoginController.login()]
2017-11-24 19:05:13.968 DEBUG 27408 --- [nio-1488-exec-9] o.s.web.servlet.DispatcherServlet : Last-Modified value for [/css/login.css] is: -1
2017-11-24 19:05:13.969 DEBUG 27408 --- [nio-1488-exec-9] o.s.w.s.v.ContentNegotiatingViewResolver : Requested media types are [text/css] based on Accept header types and producible media types [*/*])
2017-11-24 19:05:13.969 DEBUG 27408 --- [nio-1488-exec-9] o.s.w.servlet.view.BeanNameViewResolver : Found matching bean for view name 'login' - to be ignored since it does not implement View
2017-11-24 19:05:13.969 DEBUG 27408 --- [nio-1488-exec-9] o.s.w.servlet.view.BeanNameViewResolver : No matching bean found for view name 'login.css'
2017-11-24 19:05:13.970 DEBUG 27408 --- [nio-1488-exec-9] o.s.w.s.v.ContentNegotiatingViewResolver : No acceptable view found; returning null
2017-11-24 19:05:13.970 DEBUG 27408 --- [nio-1488-exec-9] o.s.w.servlet.view.BeanNameViewResolver : Found matching bean for view name 'login' - to be ignored since it does not implement View
2017-11-24 19:05:13.970 DEBUG 27408 --- [nio-1488-exec-9] o.s.web.servlet.DispatcherServlet : Rendering view [org.thymeleaf.spring4.view.ThymeleafView@6cb35f4f] in DispatcherServlet with name 'dispatcherServlet'
2017-11-24 19:05:13.979 DEBUG 27408 --- [nio-1488-exec-9] o.s.web.servlet.DispatcherServlet : Successfully completed request
首先嘗試設置調試模式日志記錄的屬性並進行驗證,但是我很確定這是因為您正試圖以匿名用戶身份獲取資源,請嘗試用.anonymous()替換.permitAll()
嘗試在SecurityConfig中重寫configure(WebSecurity web)
方法。
另外,您可以嘗試在configure(HttpSecurity http)
更改靜態文件夾的路徑(這樣您便可以使用@{/css/main.css}
從百里香模板中訪問它們):
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private PasswordEncoder passwordEncoder;
// fix this
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/static/**", "/resources/templates/**");
}
// fix this
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/css/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/welcome")
.failureUrl("/login-error")
.permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.passwordEncoder(passwordEncoder)
.withUser("user").password("password").roles("USER");
}
@Bean
PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.