[英]Thymeleaf security doesn't work properly (Spring Boot)
一些 Thymeleaf 安全措施有效,有些則無效。
如果我的 html 文件中有這個:
<security:authorize access="hasAnyRole('BREEDER')">Tenyésztő</security:authorize>
<div sec:authorize="hasRole('ROLE_USER')">Text visible to user.</div>
<div sec:authorize="hasRole('ROLE_BREEDER')">Text visible to breeders.</div>
<div sec:authorize="hasRole('BREEDER')">Text visible to breeders2.</div>
<div sec:authorize="isAuthenticated()">Text visible only to
authenticated users.</div>
Authenticated username: <div sec:authentication="name"></div>
Authenticated user roles: <div sec:authentication="principal.authorities"></div>
<div class="row" th:if="${#request.isUserInRole('ROLE_BREEDER')}">
<h2>This will only be displayed if authenticated user has role
ROLE_BREEDER.</h2>
</div>
<div class="row" sec:authorize="hasRole('ROLE_USER')">
<div class="col-md-10 col-md-offset-2">
<h2>User Has Role User</h2>
</div>
</div>
<div class="row" sec:authorize="hasAuthority('USER')">
<div class="col-md-10 col-md-offset-2">
<h2>User Has Authority User</h2>
</div>
</div>
結果是:
Tenyésztő
(-> 它不起作用,因為每個人都可以一直看到它)
Text visible only to authenticated users.
(-> 它按預期工作)
Authenticated username: xxxxxxxxx@gmail.com
(-> 有效)
Authenticated user roles: [BREEDER, USER]
(-> 正確)
如您所見,其他人根本沒有出現。
html 標簽如下所示:
<html lang="hu" layout:decorator="layouts/newslayout"
xmlns="http://www.w3.org/1999/xhtml"
xmlns:th="http://www.thymeleaf.org"
xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
我的 pom.xml 有這個依賴:
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
我的 SecurityConfig 看起來像這樣:
package hu.gamf.sz.config;
import java.util.concurrent.TimeUnit;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@EnableGlobalMethodSecurity(securedEnabled=true)
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final BCryptPasswordEncoder bCryptPasswordEncoder;
@Autowired
public SecurityConfig(BCryptPasswordEncoder bCryptPasswordEncoder) {
this.bCryptPasswordEncoder = bCryptPasswordEncoder;
}
@Bean
public UserDetailsService userDetailsService() {
return super.userDetailsService();
}
@Autowired
private UserDetailsService userService;
@Autowired
public void configureAuth(AuthenticationManagerBuilder auth) throws Exception{
auth.userDetailsService(userService);
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(bCryptPasswordEncoder);
}
@Autowired
public void configurationAuth(AuthenticationManagerBuilder auth) throws Exception{
auth
.inMemoryAuthentication()
.withUser("user")
.password("{noop}user")
.roles("USER")
.and()
.withUser("admin")
.password("{noop}admin")
.roles("ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
//.antMatchers(HttpMethod.GET,"/").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/registration").permitAll()
.antMatchers("/activation/**").permitAll()
.antMatchers("/reg").permitAll()
.antMatchers("/layouts/**").permitAll()
.antMatchers("/images/**").permitAll()
.antMatchers("/forgot").permitAll()
.antMatchers("/reset").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.rememberMe()
.tokenValiditySeconds((int) TimeUnit.DAYS.toSeconds(30))
.key("CrX3bXKSQzZ6aJCR")
.and()
.logout()
.logoutSuccessUrl("/login?logout")
.permitAll();
}
}
所以基本上一切都有效,只要它與角色沒有任何關系。 如果它是基於角色的,那么它要么顯示給所有人,要么根本不顯示。
我希望我包含了所有相關的細節,如果沒有,請告訴我,我會編輯這篇文章。
一些 Thymeleaf 安全措施有效,有些則無效。
如果我的 html 文件中有這個:
<security:authorize access="hasAnyRole('BREEDER')">Tenyésztő</security:authorize>
<div sec:authorize="hasRole('ROLE_USER')">Text visible to user.</div>
<div sec:authorize="hasRole('ROLE_BREEDER')">Text visible to breeders.</div>
<div sec:authorize="hasRole('BREEDER')">Text visible to breeders2.</div>
<div sec:authorize="isAuthenticated()">Text visible only to
authenticated users.</div>
Authenticated username: <div sec:authentication="name"></div>
Authenticated user roles: <div sec:authentication="principal.authorities"></div>
<div class="row" th:if="${#request.isUserInRole('ROLE_BREEDER')}">
<h2>This will only be displayed if authenticated user has role
ROLE_BREEDER.</h2>
</div>
<div class="row" sec:authorize="hasRole('ROLE_USER')">
<div class="col-md-10 col-md-offset-2">
<h2>User Has Role User</h2>
</div>
</div>
<div class="row" sec:authorize="hasAuthority('USER')">
<div class="col-md-10 col-md-offset-2">
<h2>User Has Authority User</h2>
</div>
</div>
結果是:
Tenyésztő
(-> 它不起作用,因為每個人都可以一直看到它)
Text visible only to authenticated users.
(-> 它按預期工作)
Authenticated username: xxxxxxxxx@gmail.com
(-> 有效)
Authenticated user roles: [BREEDER, USER]
(-> 正確)
如您所見,其他人根本沒有出現。
html 標簽如下所示:
<html lang="hu" layout:decorator="layouts/newslayout"
xmlns="http://www.w3.org/1999/xhtml"
xmlns:th="http://www.thymeleaf.org"
xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
我的 pom.xml 有這個依賴:
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
我的 SecurityConfig 看起來像這樣:
package hu.gamf.sz.config;
import java.util.concurrent.TimeUnit;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@EnableGlobalMethodSecurity(securedEnabled=true)
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final BCryptPasswordEncoder bCryptPasswordEncoder;
@Autowired
public SecurityConfig(BCryptPasswordEncoder bCryptPasswordEncoder) {
this.bCryptPasswordEncoder = bCryptPasswordEncoder;
}
@Bean
public UserDetailsService userDetailsService() {
return super.userDetailsService();
}
@Autowired
private UserDetailsService userService;
@Autowired
public void configureAuth(AuthenticationManagerBuilder auth) throws Exception{
auth.userDetailsService(userService);
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(bCryptPasswordEncoder);
}
@Autowired
public void configurationAuth(AuthenticationManagerBuilder auth) throws Exception{
auth
.inMemoryAuthentication()
.withUser("user")
.password("{noop}user")
.roles("USER")
.and()
.withUser("admin")
.password("{noop}admin")
.roles("ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
//.antMatchers(HttpMethod.GET,"/").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/registration").permitAll()
.antMatchers("/activation/**").permitAll()
.antMatchers("/reg").permitAll()
.antMatchers("/layouts/**").permitAll()
.antMatchers("/images/**").permitAll()
.antMatchers("/forgot").permitAll()
.antMatchers("/reset").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.rememberMe()
.tokenValiditySeconds((int) TimeUnit.DAYS.toSeconds(30))
.key("CrX3bXKSQzZ6aJCR")
.and()
.logout()
.logoutSuccessUrl("/login?logout")
.permitAll();
}
}
所以基本上一切都有效,只要它與角色沒有任何關系。 如果它是基於角色的,那么它要么顯示給所有人,要么根本不顯示。
我希望我包含了所有相關的細節,如果沒有,請告訴我,我會編輯這篇文章。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.