春季安全5始终302

时间:2018-07-31 13:42:49

标签: java spring spring-boot spring-security

我正在尝试测试使用标准Spring Security API保护的Web api,但是,每当我登录到我的应用程序时,/ test.html api都会不断返回302重定向。 用户名:admin / 密码:admin

enter image description here

enter image description here 


    package com.example.demo;

    import org.springframework.boot.SpringApplication;
    import org.springframework.boot.autoconfigure.SpringBootApplication;
    import org.springframework.web.bind.annotation.RequestMapping;
    import org.springframework.web.bind.annotation.RestController;

    @RestController
    @SpringBootApplication
    public class DemoApplication {

        public static void main(String[] args) {
            SpringApplication.run(DemoApplication.class, args);
        }

        @RequestMapping("/hello")
        public String hello() {
            return "hello";
        }
    }


    package com.example.demo;

    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
    import org.springframework.security.crypto.password.PasswordEncoder;

    @Configuration
    @EnableWebSecurity
    public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {

        @Bean
        public PasswordEncoder passwordEncoder() {
            return new BCryptPasswordEncoder();
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.formLogin()
                    .loginPage("/test.html").permitAll()
                    .loginProcessingUrl("/user/login")
                    .and()
                    .authorizeRequests()
                    .antMatchers("/test.html").permitAll()
                    .anyRequest()
                    .authenticated();
        }
    }


    package com.example.demo;

    import org.springframework.security.core.authority.AuthorityUtils;
    import org.springframework.security.core.userdetails.User;
    import org.springframework.security.core.userdetails.UserDetails;
    import org.springframework.security.core.userdetails.UserDetailsService;
    import org.springframework.security.core.userdetails.UsernameNotFoundException;
    import org.springframework.stereotype.Component;

    @Component
    public class UserDetailsServiceImpl implements UserDetailsService {

        @Override
        public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
            return new User("admin",
               "$2a$10$vs7veyVUaqeGyVlxXpp94O7BcmzcF2HGUmH2va6XDVCj2mK8uFzRi",
               AuthorityUtils.commaSeparatedStringToAuthorityList("admin"));
        }
    }

https://github.com/woshituotuo/demo.git

2 个答案:

答案 0 :(得分:0)

完成

跨站点伪造


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                .loginPage("/test.html").permitAll()
                .loginProcessingUrl("/user/login")
                .and()
                .authorizeRequests()
                .antMatchers("/test.html").permitAll()
                .anyRequest()
                .authenticated()
                .and()          +
                .csrf()         +
                .disable();     +

    }

答案 1 :(得分:0)

您需要在.hasAnyRole之后加上用户的角色 放入这些之后,您需要放入.anyRequest().authenticated() 就是这样

相关问题
最新问题