Mar*_*ney 62 debugging spring-security
我正在设置Spring Security来处理日志记录用户.我已经以用户身份登录,并在成功登录后被带到Access Denied错误页面.我不知道我的用户实际分配了什么角色,或者导致访问被拒绝的规则,因为我无法弄清楚如何为Spring Security库启用调试.
我的安全xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans ... >
<!-- security -->
<security:debug/><!-- doesn't seem to be working -->
<security:http auto-config="true">
<security:intercept-url pattern="/Admin**" access="hasRole('PROGRAMMER') or hasRole('ADMIN')"/>
<security:form-login login-page="/Load.do"
default-target-url="/Admin.do?m=loadAdminMain"
authentication-failure-url="/Load.do?error=true"
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"/>
<security:csrf/><!-- enable Cross Site Request Forgery protection -->
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="loginDataSource"
users-by-username-query="SELECT username, password, active FROM userinformation WHERE username = ?"
authorities-by-username-query="
SELECT ui.username, r.rolename
FROM role r, userrole ur, userinformation ui
WHERE ui.username=?
AND ui.userinformationid = ur.userinformationid
AND ur.roleid = r.roleid "
/>
<security:password-encoder hash="md5"/>
</security:authentication-provider>
</security:authentication-manager>
</beans>
我也尝试过添加log4j.logger.org.springframework.security=DEBUG到我的log4j.properties
如何获得Spring Security的调试输出?
del*_*svb 103
另一种选择是将以下内容放入您的application.properties:
logging.level.org.springframework.security=DEBUG
对于大多数其他Spring模块也是如此.
Mic*_*fel 55
您可以使用@EnableWebSecurity注释选项轻松启用调试支持:
@EnableWebSecurity(debug = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
…
}
Chr*_*ski 23
使用Spring的基本调试DebugFilter可以像这样配置:
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.debug(true);
}
}
我们总是可以使用以下配置检查 Spring Security 中注册的过滤器
下面提到了在身份验证流程中执行的 Spring Security 的一些内部过滤器:
Security filter chain: [
CharacterEncodingFilter
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
X509AuthenticationFilter
UsernamePasswordAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
RememberMeAuthenticationFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
使用 Spring Boot 和默认的 spring security 过滤器(无需自定义任何内容,甚至无需在EnableWebSecurity注释中设置 debug),设置TRACE如下application.properties所示:
logging.level.org.springframework.security=TRACE
它足以详细显示正在调用哪些过滤器以及它们正在做什么。
TRACE w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
TRACE w.c.HttpSessionSecurityContextRepository : Created SecurityContextImpl [Null authentication]
DEBUG w.c.HttpSessionSecurityContextRepository : Created HttpSession as SecurityContext is non-default
...
DEBUG o.s.security.web.FilterChainProxy : Securing POST /api/product/productname01
TRACE o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (1/16)
...
TRACE o.s.security.web.FilterChainProxy : Invoking CsrfFilter (5/16)
DEBUG o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for http://localhost/api/product/productname01
DEBUG o.s.s.w.access.AccessDeniedHandlerImpl : Responding with 403 status code
版本:
Spring Framework Bom version 5.3.16
Spring Boot 2.6.4
Spring 5.3.16
Spring Security 5.6.2
您可以使用 @EnableWebSecurity 注释的选项轻松启用调试支持:
@EnableWebSecurity(debug = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
…
}
如果您需要在application-{profile}.properties文件中进行特定于配置文件的控制
org.springframework.security.config.annotation.web.builders.WebSecurity.debugEnabled=false
获取详细帖子:http : //www.bytefold.com/enable-disable-profile-specific-spring-security-debug-flag/
| 归档时间: |
|
| 查看次数: |
68573 次 |
| 最近记录: |