配置Spring安全性AntMatcher在Spring Boot版本1.5.7中不起作用

Question

我尝试使用spring security建立安全链。

配置类： WebappSecurityConfig.java

@Configuration
@Order(SecurityProperties.BASIC_AUTH_ORDER - 10)
//@EnableWebSecurity
public class WebappSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http

                .antMatcher("/demo/**")
                .authorizeRequests()
                .antMatchers("/", "/demo/hello/").hasAnyRole("TEST")
                .and()
                .httpBasic();


    }

    @Bean
    @Override
    public UserDetailsService userDetailsService() {
        UserDetails user =
                User.withUsername("user")
                        .password("password")
                        .roles("USER")
                        .build();

        return new InMemoryUserDetailsManager(Stream.of(user).collect(Collectors.toList()) );
    }
}

控制器类： HelloController.java

@RestController
@RequestMapping("/demo")
public class HelloController {

    @RequestMapping("/hello")
//    @Secured("ROLE_TEST")
    public String helloUser(){
        return "hello";
    }
}

然后我使用邮递员发送GET请求

我的期望是请求应该被拒绝，因为我已配置角色“ USER”不应访问请求映射路径。 /demo/hello

记录详细信息：

2018-10-12 16:58:02.695 DEBUG 31380 --- [io-10088-exec-5] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/css/**']
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/css/**'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/js/**']
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/js/**'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/images/**']
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/images/**'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/webjars/**']
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/webjars/**'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/**/favicon.ico']
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/**/favicon.ico'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/error']
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/error'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/demo/**'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] w.c.HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@442b5a9f: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@442b5a9f: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@5ea45a
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /demo/hello' doesn't match 'POST /logout
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 6 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.a.www.BasicAuthenticationFilter  : Basic Authentication Authorization header found for user 'user'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.a.AnonymousAuthenticationFilter  : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@442b5a9f: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER'
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/'
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/demo/hello/'
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor    : Public object - authentication not attempted
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello reached end of additional filter chain; proceeding with original chain
2018-10-12 16:58:02.700 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.a.ExceptionTranslationFilter     : Chain processed normally
2018-10-12 16:58:02.700 DEBUG 31380 --- [io-10088-exec-5] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

要解决此问题，我必须启用方法安全性，以便为每个API指定什么权威角色。

请告知？

Answer 1

您可以编辑WebappSecurityConfig类，并在该类的顶部添加@ EnableWebSecurity，@ EnableGlobalMethodSecurity（securedEnabled = true）。您注意到secureEnabled允许使用@Secured。然后，在configure方法中，将hasAnyRole（'ROLE_TEST'）添加到antMatchers。您可以在下面参考：

@Configuration
@Order(SecurityProperties.BASIC_AUTH_ORDER - 10)
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebappSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http

          .antMatcher("/demo/**")
          .authorizeRequests()
          .antMatchers("/", "/demo/hello/").access("hasAnyRole('ROLE_TEST')")
          .and()
          .httpBasic();
    }

    @Bean
    @Override
    public UserDetailsService userDetailsService() {
        UserDetails user =
                User.withUsername("user").password("password").roles("USER").build();
        return new InMemoryUserDetailsManager(Stream.of(user).collect(Collectors.toList()) );
    }
}

在hello方法中，将@Secured（“ ROLE_TEST”）添加到helloUser方法：

@RequestMapping("/hello")

@Secured("ROLE_TEST")

public String helloUser() {
  return "hello";
}

Answer 2

我发现了问题。邮递员中的请求丢失了/，这就是AnyMatcher无法正常工作的原因。