Java 春季安全:跳过了所有的比赛
当我试图从我的UserController调用方法时,我得到了“401Unauthorized”。系统甚至没有检查antMatchers(“GET”,“users**”)。hasAnyRole(“ROLE\u USER”,“ROLE\u ADMIN”)。 我应该更改什么以允许此授权用户获取数据Java 春季安全:跳过了所有的比赛,java,spring,spring-security,Java,Spring,Spring Security,当我试图从我的UserController调用方法时,我得到了“401Unauthorized”。系统甚至没有检查antMatchers(“GET”,“users**”)。hasAnyRole(“ROLE\u USER”,“ROLE\u ADMIN”)。 我应该更改什么以允许此授权用户获取数据 @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(securedEnabled = true) @ComponentScan(ba
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
@ComponentScan(basePackages = { "com.talentlab.security.auth", "com.talentlab.security.filters",
"com.talentlab.security.handlers", "com.talentlab.security.model", "com.talentlab.security.config",
"com.talentlab.security.endpoint", "com.talentlab.web" })
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public static final String JWT_TOKEN_HEADER_PARAM = "Authorization";
public static final String FORM_BASED_LOGIN_ENTRY_POINT = "/login";
public static final String TOKEN_REFRESH_ENTRY_POINT = "/auth/token";
public static final String TOKEN_BASED_AUTH_ENTRY_POINT = "/**";
public static final String REGISTRATION_URL = "/registration/**";
public static final String[] SWAGGER_URLS = new String[] { "/v2/api-docs", "/configuration/ui",
"/swagger-resources/configuration/ui", "/swagger-resources", "/configuration/security", "/swagger-ui.html",
"/webjars/**" };
@Autowired
private AuthenticationEntryPoint authenticationEntryPoint;
@Autowired
private AjaxLoginProcessingFilter ajaxLoginProcessingFilter;
@Autowired
private JwtTokenAuthenticationProcessingFilter jwtTokenAuthenticationProcessingFilter;
@Autowired
private CorsFilter corsFilter;
@Autowired
private LanguageFilter languageFilter;
@Autowired
private AjaxAuthenticationProvider ajaxAuthenticationProvider;
@Autowired
private JwtAuthenticationProvider jwtAuthenticationProvider;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
protected SkipPathRequestMatcher skipPathRequestMatcher() throws Exception {
List<String> pathsToSkip = Arrays.asList(TOKEN_REFRESH_ENTRY_POINT, FORM_BASED_LOGIN_ENTRY_POINT,
REGISTRATION_URL);
return new SkipPathRequestMatcher(pathsToSkip, TOKEN_BASED_AUTH_ENTRY_POINT);
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
// auth.userDetailsService(userDetailsService);
auth.authenticationProvider(ajaxAuthenticationProvider);
auth.authenticationProvider(jwtAuthenticationProvider);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(SWAGGER_URLS);
}
@Bean(name = BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(SWAGGER_URLS).permitAll()
.antMatchers(REGISTRATION_URL).permitAll()
.antMatchers(FORM_BASED_LOGIN_ENTRY_POINT).permitAll()
.antMatchers(HttpMethod.OPTIONS, "/**").anonymous()
.antMatchers("/404").anonymous()
.antMatchers("GET", "/users**").hasAnyRole("ROLE_USER", "ROLE_ADMIN")
.antMatchers("/test**").hasRole("ADMIN")
.antMatchers("/question**").hasRole("ADMIN")
.antMatchers("/500").anonymous().anyRequest().permitAll()
.and().csrf().disable() // We don't need CSRF for JWT based authentication
.exceptionHandling().authenticationEntryPoint(this.authenticationEntryPoint)
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().authorizeRequests().antMatchers(FORM_BASED_LOGIN_ENTRY_POINT).permitAll() // Login end-point
.antMatchers(TOKEN_REFRESH_ENTRY_POINT).permitAll() // Token refresh end-point
.antMatchers("/console").permitAll() // H2 Console Dash-board - only for testing
.and().authorizeRequests().antMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated() // Protected API
// End-points
.and()
.addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterAfter(languageFilter, CorsFilter.class)
.addFilterBefore(ajaxLoginProcessingFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(jwtTokenAuthenticationProcessingFilter, UsernamePasswordAuthenticationFilter.class);
}
}
Spring版本:5.0.5.0版本
Spring安全版本:5.0.5.0版本
提前谢谢你 因为我没有运行和检查的工作代码。通过查看代码,我相信您可以尝试将模式更新为
.antMatchers(“GET”、“/users/**”).permitAll().hasAnyRole(“ROLE\u USER”、“ROLE\u ADMIN”)
不幸的是,我不能这样做:)“antMatchers”返回AuthorizedUrl,而不是AbstractRequestMatcherRegistry上的子项,因此我不能在.permitAll()之后调用.hasAnyRole(“ROLE\u USER”、“ROLE\u ADMIN”)。但是谢谢你的回答。日志上说你正在打电话给/
,我看不到任何匹配者。401表示您的凭据丢失或错误。用参数显示您的请求。你发送JWT代币了吗?哦,对不起,错误的日志,更改了。是的,当然,我发送了令牌,授权成功通过,但url与任何模式都不匹配。。
10:58:22.773 [http-nio-8080-exec-9] DEBUG org.springframework.orm.jpa.JpaTransactionManager - Initiating transaction commit
10:58:22.774 [http-nio-8080-exec-9] DEBUG org.springframework.orm.jpa.JpaTransactionManager - Committing JPA transaction on EntityManager [SessionImpl(PersistenceContext[entityKeys=[EntityKey[com.talentlab.db.domain.Tenant#1]],collectionKeys=[]];ActionQueue[insertions=ExecutableList{size=0} updates=ExecutableList{size=0} deletions=ExecutableList{size=0} orphanRemovals=ExecutableList{size=0} collectionCreations=ExecutableList{size=0} collectionRemovals=ExecutableList{size=0} collectionUpdates=ExecutableList{size=0} collectionQueuedOps=ExecutableList{size=0} unresolvedInsertDependencies=null])]
10:58:22.774 [http-nio-8080-exec-9] DEBUG org.springframework.orm.jpa.JpaTransactionManager - Closing JPA EntityManager [SessionImpl(PersistenceContext[entityKeys=[EntityKey[com.talentlab.db.domain.Tenant#1]],collectionKeys=[]];ActionQueue[insertions=ExecutableList{size=0} updates=ExecutableList{size=0} deletions=ExecutableList{size=0} orphanRemovals=ExecutableList{size=0} collectionCreations=ExecutableList{size=0} collectionRemovals=ExecutableList{size=0} collectionUpdates=ExecutableList{size=0} collectionQueuedOps=ExecutableList{size=0} unresolvedInsertDependencies=null])] after transaction
10:58:22.774 [http-nio-8080-exec-9] DEBUG org.springframework.orm.jpa.EntityManagerFactoryUtils - Closing JPA EntityManager
10:58:22.775 [http-nio-8080-exec-9] DEBUG org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
10:58:23.170 [http-nio-8080-exec-9] DEBUG org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6a8abebb
10:58:23.170 [http-nio-8080-exec-9] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/v2/api-docs'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/configuration/ui'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/swagger-resources/configuration/ui'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/swagger-resources'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/configuration/security'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/swagger-ui.html'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/webjars/**'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 4 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'OPTIONS /users/1' doesn't match 'GET /logout
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'OPTIONS /users/1' doesn't match 'POST /logout
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
10:58:23.192 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'OPTIONS /users/1' doesn't match 'PUT /logout
10:58:23.192 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
10:58:23.192 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'OPTIONS /users/1' doesn't match 'DELETE /logout
10:58:23.192 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - No matches found
10:58:23.192 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 5 of 14 in additional filter chain; firing Filter: 'CorsFilter'
10:58:23.192 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6a8abebb
10:58:23.192 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
10:58:23.197 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/v2/api-docs'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/configuration/ui'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/swagger-resources/configuration/ui'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/swagger-resources'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/configuration/security'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/swagger-ui.html'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/webjars/**'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 4 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/logout'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /users/1' doesn't match 'POST /logout
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /users/1' doesn't match 'PUT /logout
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /users/1' doesn't match 'DELETE /logout
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - No matches found
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 5 of 14 in additional filter chain; firing Filter: 'CorsFilter'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 6 of 14 in additional filter chain; firing Filter: 'AjaxLoginProcessingFilter'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/login'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 7 of 14 in additional filter chain; firing Filter: 'JwtTokenAuthenticationProcessingFilter'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/auth/token']
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/auth/token'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/login']
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/login'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/registration/**']
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/registration/**'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - No matches found
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request '/users/1' matched by universal pattern '/**'
10:58:23.198 [http-nio-8080-exec-5] DEBUG com.talentlab.security.auth.jwt.JwtTokenAuthenticationProcessingFilter - Request is to process authentication
10:58:23.238 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6a8abebb
10:58:23.238 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed