Spring 引導 2 和安全性與 JWT 無法提供 static 內容 ZD18B8624A0F5F721DADD7B823

Question

I am building spring boot application with spring security and JWT authentication token, it was running fine only when i serve rest apis only, but now i want to host angular files also, so i added angular build in spring boot's executable war at /WEB- INF/classes/static/，現在我想托管 static 目錄中的所有文件應該可以從 / 我嘗試了很多東西，下面是我的代碼

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
    securedEnabled = true,
    jsr250Enabled = true,
    prePostEnabled = true
)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
CustomUserDetailsService customUserDetailsService;

@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;

@Bean
public JwtAuthenticationFilter jwtAuthenticationFilter() {
    return new JwtAuthenticationFilter();
}

@Override
public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
    authenticationManagerBuilder
            .userDetailsService(customUserDetailsService)
            .passwordEncoder(passwordEncoder());
}

@Bean(BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

//    @Override
//    public void configure(WebSecurity web) throws Exception {
//                web.ignoring().requestMatchers().antMatchers("/static/**").antMatchers("/api/auth/**");
//    }

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
//                .cors()
//                    .and()
//                .csrf()
//                    .disable()
//                .exceptionHandling()
//                    .authenticationEntryPoint(unauthorizedHandler)
//                    .and()
//                .sessionManagement()
//                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
//                    .and()
//                .requestMatchers().antMatchers("/static/**").and()
            .authorizeRequests()
                .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
                .antMatchers("/api/auth/**")
                    .permitAll()
                .antMatchers("/api/user/checkUsernameAvailability", "/api/user/checkEmailAvailability")
                    .permitAll()
                .antMatchers("/api/test/**")
                    .permitAll()
                .antMatchers("/", "/static/**")
                    .permitAll()
                .anyRequest()
                    .authenticated();

    // Add our custom JWT security filter
    http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);

}

WebMvcConfig 是

@Configuration
public class WebMvcConfig implements WebMvcConfigurer {

private final long MAX_AGE_SECS = 3600;

@Override
public void addCorsMappings(CorsRegistry registry) {
    registry.addMapping("/**")
            .allowedOrigins("*")
            .allowedMethods("HEAD", "OPTIONS", "GET", "POST", "PUT", "PATCH", "DELETE")
            .maxAge(MAX_AGE_SECS);
}

@Override
public void configurePathMatch(PathMatchConfigurer configurer) {
    // TODO Auto-generated method stub
    
}

@Override
public void configureContentNegotiation(ContentNegotiationConfigurer configurer) {
    // TODO Auto-generated method stub
    
}

@Override
public void configureAsyncSupport(AsyncSupportConfigurer configurer) {
    // TODO Auto-generated method stub
    
}

@Override
public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
    // TODO Auto-generated method stub
    
}

@Override
public void addFormatters(FormatterRegistry registry) {
    // TODO Auto-generated method stub
    
}

@Override
public void addInterceptors(InterceptorRegistry registry) {
    // TODO Auto-generated method stub
    
}

@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
//      registry.addResourceHandler("/static/**").addResourceLocations("classpath:/static");
}

@Override
public void addViewControllers(ViewControllerRegistry registry) {
    // TODO Auto-generated method stub
    
}

@Override
public void configureViewResolvers(ViewResolverRegistry registry) {
    // TODO Auto-generated method stub
    
}

@Override
public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
    // TODO Auto-generated method stub
    
}

@Override
public void addReturnValueHandlers(List<HandlerMethodReturnValueHandler> returnValueHandlers) {
    // TODO Auto-generated method stub
    
}

@Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
    // TODO Auto-generated method stub
    
}

@Override
public void extendMessageConverters(List<HttpMessageConverter<?>> converters) {
    // TODO Auto-generated method stub
    
}

@Override
public void configureHandlerExceptionResolvers(List<HandlerExceptionResolver> exceptionResolvers) {
    // TODO Auto-generated method stub
    
}

@Override
public void extendHandlerExceptionResolvers(List<HandlerExceptionResolver> exceptionResolvers) {
    // TODO Auto-generated method stub
    
}

@Override
public Validator getValidator() {
    // TODO Auto-generated method stub
    return null;
}

@Override
public MessageCodesResolver getMessageCodesResolver() {
    // TODO Auto-generated method stub
    return null;
}


}

JwtAuthenticationFilter

public class JwtAuthenticationFilter extends OncePerRequestFilter {

@Autowired
private JwtTokenProvider tokenProvider;

@Autowired
private CustomUserDetailsService customUserDetailsService;

private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class);

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
        throws ServletException, IOException {
    try {
        String jwt = getJwtFromRequest(request);

        if (StringUtils.hasText(jwt) && tokenProvider.validateToken(jwt)) {
            String userId = tokenProvider.getUserIdFromJWT(jwt);

            /*
                Note that you could also encode the user's username and roles inside JWT claims
                and create the UserDetails object by parsing those claims from the JWT.
                That would avoid the following database hit. It's completely up to you.
             */
            UserDetails userDetails = customUserDetailsService.loadUserById(userId);
            UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
                    userDetails, null, userDetails.getAuthorities());
            authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));

            SecurityContextHolder.getContext().setAuthentication(authentication);
        }
    } catch (Exception ex) {
        logger.error("Could not set user authentication in security context", ex);
    }

    filterChain.doFilter(request, response);
}

private String getJwtFromRequest(HttpServletRequest request) {
    String bearerToken = request.getHeader("Authorization");
    if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
        return bearerToken.substring(7, bearerToken.length());
    }
    return null;
}
}

Answer 1

您可能需要更多上下文，但這是一種可能的解決方案。

我認為可能發生的事情是 Spring 正在從 static 文件夾 /static 正如您告訴我們的那樣提供您的內容（它甚至是默認的 spring 引導文件夾）。

但是 spring 不知道它需要將請求從例如： localhost:8080/重定向到localhost:8080/index.html 。

注意：如果沒有進一步的細節，很難理解可能發生的事情:)