![](/img/trans.png)
[英]"status": 403, "error": "Forbidden" "message": "Access Denied" in postman spring boot code
[英]Access Denied (Status 403) error message trying to access index.html file declared in Spring Boot project
我正在使用Spring Security
開發一個Spring Boot
項目,我在嘗試允許訪問在我的項目中聲明的測試index.html
頁面時遇到以下問題。
基本上我有以下情況。 在我的項目中,我有這個文件夾: src/main/resources/static
文件夾,其中包含index.html
文件。
Spring Boot
Tomcat
服務器運行在8019
端口,實際上這是啟動日志:
[2m2022-02-17 17:04:06.882[0;39m [32m INFO[0;39m [35m16062[0;39m [2m---[0;39m [2m[ restartedMain][0;39m [36mo.s.b.w.embedded.tomcat.TomcatWebServer [0;39m [2m:[0;39m Tomcat started on port(s): 8019 (http) with context path ''
所以我嘗試在我的瀏覽器中運行這個index.html
文件打開這個 URL: http://localhost:8019/index.html
但我收到此錯誤消息:
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu Feb 17 17:03:54 CET 2022
There was an unexpected error (type=Forbidden, status=403).
Access Denied
我還嘗試在我的Spring Security
配置 class 中添加一個permitAll()
規則,這個:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("customUserDetailsService")
private UserDetailsService userDetailsService;
@Autowired
private JwtConfig jwtConfig;
@Autowired
private JwtTokenUtil jwtTokenUtil;
//private static final String[] USER_MATCHER = { "/api/utenti/cerca/**"};
//private static final String[] ADMIN_MATCHER = { "/api/utenti/inserisci/**", "/api/utenti/elimina/**" };
private static final String[] USER_MATCHER = { "/api/users/email/**"};
private static final String[] ADMIN_MATCHER = {
"/api/users/email/**",
"/api/admin/**"
};
private static final String[] COMMON_MATCHER = {
"/api/admin/user/{id}/wallet"
};
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
{
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception
{
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
/*
* NOTE:
* Using hasRole expects the authority names to start with 'ROLE_' prefix
* Instead, we use hasAuthority as we can use the names as it is
*/
http.csrf().disable()
.authorizeRequests()
.antMatchers(USER_MATCHER).hasAnyAuthority("CLIENT")
.antMatchers(COMMON_MATCHER).hasAnyAuthority("ADMIN","CLIENT")
.antMatchers(ADMIN_MATCHER).hasAnyAuthority("ADMIN")
.antMatchers("/api/users/test").authenticated()
.antMatchers(HttpMethod.GET, "http://localhost:8019/index.html").permitAll()
.antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll()
.anyRequest().denyAll()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(
new TokenVerificationFilter(authenticationManager(), jwtConfig, jwtTokenUtil),UsernamePasswordAuthenticationFilter.class);
}
/* To allow Pre-flight [OPTIONS] request from browser */
@Override
public void configure(WebSecurity web)
{
web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
web.ignoring().antMatchers("/swagger-ui/**",
"/webjars/**",
"/v2/**",
"/swagger-resources/**",
"/swagger-ui.html");
}
@Bean
public BCryptPasswordEncoder passwordEncoder()
{
return new BCryptPasswordEncoder();
};
}
所以你可以看到我添加了這個配置行:
.antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll()
但它不起作用,我仍然無法訪問此 URL 以及我的index.html
文件中包含的頁面。
禁用 Spring Security 它工作正常所以問題一定在 Spring Security 配置中
我在您的配置中看到可能導致此問題的兩件事。 首先,您要添加自定義過濾器,如果該過濾器在響應中設置 403,則配置的 rest 將不適用,因此請檢查TokenVerificationFilter
中的doFilter
方法。
另一個罪魁禍首可能在您的匹配器中,您在其中不僅包含路徑,還包含協議、主機和端口。 將此匹配器限制為僅/index.html
,您應該已設置好。
另外,以您的方式提出另一種解決方案...您的public void configure(WebSecurity web)
方法中已經有一個忽略部分,只需將/index.html
添加到您的忽略列表中,這實際上就是您想要的無論如何:)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.