Spring-Boot和Spring-Security配置

Question

我试图在Spring-Boot项目中使用Spring Security.

我的项目结构是:

/project
 -/src/main
 -- /java
 -- / resources
 --- /static
  ---- /css
  ---- /fonts
  ---- /libs
 --- /templates
  ---- /all html files

这是我的gradle设置:

apply plugin: 'java'
apply plugin: 'groovy'
apply plugin: 'idea'
apply plugin: 'spring-boot'
apply plugin: 'jacoco'
apply plugin: 'war'
apply plugin: 'maven'

project.ext {
    springBootVersion = '1.0.2.RELEASE'
}

dependencies {
    compile("org.springframework.boot:spring-boot-starter-web:$springBootVersion")
    compile("org.springframework.boot:spring-boot:1.0.1.RELEASE")
    compile("org.springframework.boot:spring-boot-starter-thymeleaf")
    compile("org.springframework.boot:spring-boot-starter-data-jpa:$springBootVersion")
    compile("org.springframework.security:spring-security-web:4.0.0.M1")
    compile("org.springframework.security:spring-security-config:4.0.0.M1")
...
}

我的每个html文件都有:

<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
    <meta name="description" content=""/>

    <link href="/css/bootstrap.css" rel="stylesheet"/>
    <link href="/css/bootstrap.min.css" rel="stylesheet"/>
    <link href="/css/bootstrap-responsive.css" rel="stylesheet"/>
    <link href="/css/bootstrap-responsive.min.css" rel="stylesheet"/>
    <link href="/css/ofac.css" rel="stylesheet"/>
    <link href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" rel="stylesheet"/>

    <!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
    <!--[if lt IE 9]>
    <script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
    <![endif]-->
</head>

这是我的MVC配置:@Configuration公共类MvcConfig扩展WebMvcConfigurerAdapter {

    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController( "/home" ).setViewName( "index" );
        registry.addViewController( "/" ).setViewName( "index" );
        registry.addViewController( "/about" ).setViewName( "about" );
        registry.addViewController( "/login" ).setViewName( "login" );
        registry.addViewController( "/upload" ).setViewName( "upload" );
        registry.addViewController( "/status" ).setViewName( "status" );
        registry.addViewController( "/search" ).setViewName( "search" );
    }

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        LocaleChangeInterceptor localeChangeInterceptor = new LocaleChangeInterceptor();
        localeChangeInterceptor.setParamName( "lang" );
        registry.addInterceptor( localeChangeInterceptor );
    }

    @Bean
    public LocaleResolver localeResolver() {
        CookieLocaleResolver cookieLocaleResolver = new CookieLocaleResolver();
        cookieLocaleResolver.setDefaultLocale( StringUtils.parseLocaleString( "en" ) );
        return cookieLocaleResolver;
    }

    @Bean
    public MessageSource messageSource() {
        ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource();
        messageSource.setBasenames( "classpath:messages/messages", "classpath:messages/validation" );
        // if true, the key of the message will be displayed if the key is not
        // found, instead of throwing a NoSuchMessageException
        messageSource.setUseCodeAsDefaultMessage( true );
        messageSource.setDefaultEncoding( "UTF-8" );
        // # -1 : never reload, 0 always reload
        messageSource.setCacheSeconds( 0 );
        return messageSource;
    }

根据我在网上找到的各种例子,我有以下安全配置:

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource datasource;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
                .authorizeRequests()
                .antMatchers( "/resources/**" ).permitAll();

        http
                .formLogin().failureUrl("/login?error")
                .defaultSuccessUrl("/")
                .loginPage("/login")
                .permitAll()
                .and()
                .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login")
                .permitAll();

        http
                .authorizeRequests().anyRequest().authenticated();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        JdbcUserDetailsManager userDetailsService = new JdbcUserDetailsManager();
        userDetailsService.setDataSource( datasource );
        PasswordEncoder encoder = new BCryptPasswordEncoder();

        auth.userDetailsService( userDetailsService ).passwordEncoder( encoder );
        auth.jdbcAuthentication().dataSource( datasource );

        if ( !userDetailsService.userExists( "user" ) ) {
            List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
            authorities.add( new SimpleGrantedAuthority( "USER" ) );
            User userDetails = new User( "user", encoder.encode( "password" ), authorities );

            userDetailsService.createUser( userDetails );
        }
    }
}

当我导航到localhost:9001 我的登录页面提示时.我提供了正确的凭据,并被重定向到url:http://localhost:9001/css/ofac.css 显示了我的css文件的内容.在添加安全性之前,页面将正确呈现.一旦登录成功,就会显示css,但是如果我将根导航回"/",那么一切都表现得应该如此.

谁能看到我在这里做错了什么？

更新:我删除了以下内容,因为Spring-boot将处理/ resources/**

http
                    .authorizeRequests()
                    .antMatchers( "/resources/**" ).permitAll();

我还将重定向更改为成功登录:

.defaultSuccessUrl("/home")    

因为那也被映射到"/"

但是,行为是一样的.一个有趣的行为是,当我使用Safari时,登录会给我" http://localhost:9001/css/bootstrap.css"但Firefox会给我" http://localhost:9001/css/bootstrap-responsive.min.css"

当我POST http://localhost:9001/login用Firebug 检查时,我得到一个"302 Found",然后GET http://localhost:9001/css/bootstrap-responsive.min.css返回一个200.

Answer 1

将此方法添加到SecurityConfig

@Override
public void configure(WebSecurity security){
    security.ignoring().antMatchers("/css/**","/fonts/**","/libs/**"");
}