我正在尝试在Spring-Boot项目中使用Spring Security。
我的项目结构是:
/project
-/src/main
-- /java
-- / resources
--- /static
---- /css
---- /fonts
---- /libs
--- /templates
---- /all html files
这是我的gradle设置:
apply plugin: 'java'
apply plugin: 'groovy'
apply plugin: 'idea'
apply plugin: 'spring-boot'
apply plugin: 'jacoco'
apply plugin: 'war'
apply plugin: 'maven'
project.ext {
springBootVersion = '1.0.2.RELEASE'
}
dependencies {
compile("org.springframework.boot:spring-boot-starter-web:$springBootVersion")
compile("org.springframework.boot:spring-boot:1.0.1.RELEASE")
compile("org.springframework.boot:spring-boot-starter-thymeleaf")
compile("org.springframework.boot:spring-boot-starter-data-jpa:$springBootVersion")
compile("org.springframework.security:spring-security-web:4.0.0.M1")
compile("org.springframework.security:spring-security-config:4.0.0.M1")
...
}
我的每个html文件都有:
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<meta name="description" content=""/>
<link href="/css/bootstrap.css" rel="stylesheet"/>
<link href="/css/bootstrap.min.css" rel="stylesheet"/>
<link href="/css/bootstrap-responsive.css" rel="stylesheet"/>
<link href="/css/bootstrap-responsive.min.css" rel="stylesheet"/>
<link href="/css/ofac.css" rel="stylesheet"/>
<link href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css" rel="stylesheet"/>
<!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
<!--[if lt IE 9]>
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
</head>
这是我的MVC配置: @组态 公共类MvcConfig扩展了WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController( "/home" ).setViewName( "index" );
registry.addViewController( "/" ).setViewName( "index" );
registry.addViewController( "/about" ).setViewName( "about" );
registry.addViewController( "/login" ).setViewName( "login" );
registry.addViewController( "/upload" ).setViewName( "upload" );
registry.addViewController( "/status" ).setViewName( "status" );
registry.addViewController( "/search" ).setViewName( "search" );
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
LocaleChangeInterceptor localeChangeInterceptor = new LocaleChangeInterceptor();
localeChangeInterceptor.setParamName( "lang" );
registry.addInterceptor( localeChangeInterceptor );
}
@Bean
public LocaleResolver localeResolver() {
CookieLocaleResolver cookieLocaleResolver = new CookieLocaleResolver();
cookieLocaleResolver.setDefaultLocale( StringUtils.parseLocaleString( "en" ) );
return cookieLocaleResolver;
}
@Bean
public MessageSource messageSource() {
ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource();
messageSource.setBasenames( "classpath:messages/messages", "classpath:messages/validation" );
// if true, the key of the message will be displayed if the key is not
// found, instead of throwing a NoSuchMessageException
messageSource.setUseCodeAsDefaultMessage( true );
messageSource.setDefaultEncoding( "UTF-8" );
// # -1 : never reload, 0 always reload
messageSource.setCacheSeconds( 0 );
return messageSource;
}
基于我在网上找到的各种示例,我有以下安全配置:
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource datasource;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers( "/resources/**" ).permitAll();
http
.formLogin().failureUrl("/login?error")
.defaultSuccessUrl("/")
.loginPage("/login")
.permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login")
.permitAll();
http
.authorizeRequests().anyRequest().authenticated();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
JdbcUserDetailsManager userDetailsService = new JdbcUserDetailsManager();
userDetailsService.setDataSource( datasource );
PasswordEncoder encoder = new BCryptPasswordEncoder();
auth.userDetailsService( userDetailsService ).passwordEncoder( encoder );
auth.jdbcAuthentication().dataSource( datasource );
if ( !userDetailsService.userExists( "user" ) ) {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add( new SimpleGrantedAuthority( "USER" ) );
User userDetails = new User( "user", encoder.encode( "password" ), authorities );
userDetailsService.createUser( userDetails );
}
}
}
当我导航到localhost:9001时,系统会提示我登录页面。我提供了正确的凭据,并被重定向到网址:http://localhost:9001/css/ofac.css显示了我的css文件的内容。在添加安全性之前,页面将正确呈现。一旦登录成功,就会显示css,但是如果我将根导航回“/”,那么一切都会按原样运行。
谁能看到我在这里做错了什么?
更新: 我删除了以下内容,因为Spring-boot将处理/ resources / **
http
.authorizeRequests()
.antMatchers( "/resources/**" ).permitAll();
我还将成功登录的重定向更改为:
.defaultSuccessUrl("/home")
因为它也映射到“/”
但是,行为是一样的。一个有趣的行为是,当我使用Safari时,登录会给我“http://localhost:9001/css/bootstrap.css”,但Firefox会给我“http://localhost:9001/css/bootstrap-responsive.min.css”
当我用Firebug检查POST http://localhost:9001/login时,我得到一个“302 Found”,然后是一个返回200的GET http://localhost:9001/css/bootstrap-responsive.min.css。
答案 0 :(得分:6)
将此方法添加到SecurityConfig
@Override
public void configure(WebSecurity security){
security.ignoring().antMatchers("/css/**","/fonts/**","/libs/**"");
}
答案 1 :(得分:0)
我还体验过/ static / fonts / path中的Spring安全阻塞资源。但是,&#34; / static / css&#34;,&#34; / static / js&#34;,&#34; / static / images&#34;默认允许,但/ static / fonts / **被阻止。
以下是我如何修复此问题的示例。
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
.....
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/fonts/**").permitAll().
//other security configuration rules
}
.....
}