我有一个OAUTH2应用程序,其中的oauth2端点受Spring Security保护,因此某些页面受到基于表单的登录名的保护。
以前,如果我点击这些URL之一,则会正确地重定向到登录页面。
我刚刚从Spring Boot 1.5.16升级到Spring Boot 2.0.6。导致通过Spring Security的依赖项从4.2.8升级到5.0.9
现在,如果我点击未登录的URL,我将得到一个如下所示的页面:
<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>
如果我尝试访问登录页面,还没有获得授权,那还有什么呢?有谁知道这是什么原因的吗?过滤顺序可能是?
这是我的安全配置的样子:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final AuthenticationManager authenticationManager;
private final Environment environment;
@Autowired
public SecurityConfig(AuthenticationManager authenticationManager, Environment environment) {
this.authenticationManager = authenticationManager;
this.environment = environment;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().
headers().frameOptions().disable().and()
.formLogin().loginPage("/login").permitAll()
.and()
.requestMatchers().antMatchers("/login", "/logout", "/oauth/authorize", "/oauth/confirm_access")
.and()
.authorizeRequests().anyRequest().authenticated();
}
}
这是创建的过滤器链:
2018-10-19 15:22:10.865 INFO 19012 --- [ restartedMain] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/oauth/token'], Ant [pattern='/oauth/token_key'], Ant [pattern='/oauth/check_token']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@737f44b6, org.springframework.security.web.context.SecurityContextPersistenceFilter@61f7a8e9, org.springframework.security.web.header.HeaderWriterFilter@139be706, org.springframework.security.web.authentication.logout.LogoutFilter@60b40eca, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7467a12, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@4fd13263, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1d003890, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6e762f08, org.springframework.security.web.session.SessionManagementFilter@13f07542, org.springframework.security.web.access.ExceptionTranslationFilter@2e2ecd3a, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@65db717c]
2018-10-19 15:22:10.880 INFO 19012 --- [ restartedMain] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration$NotOAuthRequestMatcher@4432df93, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@c48f5fc, org.springframework.security.web.context.SecurityContextPersistenceFilter@731455ec, org.springframework.security.web.header.HeaderWriterFilter@67e583c6, org.springframework.security.web.authentication.logout.LogoutFilter@7bc67409, org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter@4c112545, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@16762cc2, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5dc67679, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@5473e34c, org.springframework.security.web.session.SessionManagementFilter@4e9d0777, org.springframework.security.web.access.ExceptionTranslationFilter@750210bc, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@d7ab665]
2018-10-19 15:22:10.895 INFO 19012 --- [ restartedMain] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/login'], Ant [pattern='/logout'], Ant [pattern='/oauth/authorize'], Ant [pattern='/oauth/confirm_access']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@22671580, org.springframework.security.web.context.SecurityContextPersistenceFilter@412e0841, org.springframework.security.web.header.HeaderWriterFilter@60f6611f, org.springframework.security.web.authentication.logout.LogoutFilter@24ec00c6, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@1531681a, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@242e419a, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@77833299, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2ea3b229, org.springframework.security.web.session.SessionManagementFilter@38fd683f, org.springframework.security.web.access.ExceptionTranslationFilter@7e4364ca, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@63dad600]
201
答案 0 :(得分:1)
这对我有用
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().
antMatchers("/db*/**").fullyAuthenticated().
antMatchers("/rest/**").permitAll().
and().formLogin(). //login configuration
loginPage("/index.jsf?faces-redirect=true");
}
}
,然后在URL上输入localhost:8080 / db /,它将自动重定向到您的索引页