Cod*_*Med 10 java spring spring-security spring-boot
具有REST服务的Spring Boot应用程序必须允许公共访问某些服务,同时将其他服务限制为仅授权用户.当configure(WebSecurity web)方法添加到SecurityConfig类中时,如下所示,a将403 error被发送到用户的Web浏览器,并且Spring Boot日志文件会发出错误消息,指出:
/registration-form has an empty filter list
需要对下面的代码进行哪些具体更改才能将/registration-form服务成功提供给任何用户,包括匿名/未经身份验证的用户?
这是SecurityConfig班级:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers("/registration-form");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.and()
.httpBasic().and()
.authorizeRequests()
.antMatchers("/login1").permitAll()
.antMatchers("/login2").permitAll()
.anyRequest().authenticated();
}
}
这是完整的日志:
2016-04-07 16:42:18.548 INFO 8937 --- [nio-8001-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet'
2016-04-07 16:42:18.548 INFO 8937 --- [nio-8001-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started
2016-04-07 16:42:18.656 INFO 8937 --- [nio-8001-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 108 ms
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/css/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/js/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/images/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/**/favicon.ico'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/error'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/registration-form'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.security.web.FilterChainProxy : /registration-form has an empty filter list
在pom.xml,对安全性的唯一引用如下:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
我四处寻找版本号pom.xml,最接近的是我能找到的:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.3.0.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
正在进行的研究:
1)这等后给出的区别的一个很好的解释WebSecurity和HttpSecurity,从而解释了为什么我同时WebSecurity和HttpSecurity在我的代码如上图所示.
2.)这篇2012年的帖子描述了一个类似的错误和解决方案,但是主要关注的是一般使用的旧版Spring Security xml configuration,而不是特定于Spring Boot的Java Configuration.
3.)这篇博客文章解释了旧的xml配置文件web.xml在很大程度上被application.propertiesSpring Boot中的新文件所取代.因此,我不确定当前问题的解决方案是添加内容application.properties,还是添加一些Java Config for Spring Security.
4.)此博客条目描述了使用@Bean注释注入ServletContextInitializerbean,该bean将过滤器添加到@RequestMappingSpring Boot Controller类中的注释所描述的端点.该示例是一个多部分文件过滤器,但我想知道是否可以使用此方法添加适当的过滤器来解决当前的OP错误消息.
5.)2014年的帖子介绍了两种自定义ServletContextInitializerSpring Boot 行为的方法.一种方法是让Application.java类扩展SpringBootServletInitializer然后重写configure()和onStartup()方法.显示的另一种方法是application.properties使用server命名空间向文件添加行.此链接application.properties提供了可以设置的公共属性列表,但我无法确定要设置哪些属性来解决当前OP定义的问题.
6)@ DaveSyer的回答此相关的问题建议设置endpoints.info.sensitive=true在application.properties使所有端点开放.这让我从Spring找到关于端点的这个文档页面,它建议设置endpoints.name.sensitive=falsein application.properties,name更改端点的名称.但是设置endpoints.api-url.sensitive=false在application.properties不解决问题,而Eclipse提供了一个警告endpoints.api-url.sensitive=false is an unknown property.我是否必须在其他地方定义属性映射,或者可能添加它/来制作它endpoints./api-url.sensitive=false?如何获得用于/api-url端点的正确名称,这是解决此问题的正确方法吗?
7.)我读了这个其他的帖子,并用它的例子在Spring Boot应用程序Filter Registration Bean的主Application类里面创建了一个,但是调试日志仍然显示相同的消息,表明了/api-url has an empty filter list.这是我添加到Application类中的代码:
@Bean
public FilterRegistrationBean shallowEtagHeaderFilter() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(new ShallowEtagHeaderFilter());
registration.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
registration.addUrlPatterns("/api-url");
return registration;
}
这项研究的可能方法包括:
1.) adding something to `application.properties`
2.) adding `@Bean` annotation to inject a `ServletContextInitializer`
3.) adding some Spring Security config using Java Configuration.
4.) having Application.java extend SpringBootServletInitializer and
then overriding methods.
5.) adding @Bean annotation to add a filter registration bean
这就是我限制某些 URL 和某些公开 URL 的地方
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(actuatorEndpoints()).hasRole(userConfig.getAdminRole())
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/signup",
"/payment/confirm",
"/api/address/zipcodes/**",
"/user/password/reset",
"/user/password/change",
"/user/email/verify",
"/password/update",
"/email/verify",
"/new-products/**").permitAll()
.antMatchers("/api/**", "/files/**").authenticated();
}
| 归档时间: |
|
| 查看次数: |
6031 次 |
| 最近记录: |