Java 使用Vaadin 10自定义Spring安全登录
我试图在使用spring boot的同时使用Vaadin,我也在使用spring security。这是我在Java 使用Vaadin 10自定义Spring安全登录,java,spring-boot,spring-security,vaadin,vaadin10,Java,Spring Boot,Spring Security,Vaadin,Vaadin10,我试图在使用spring boot的同时使用Vaadin,我也在使用spring security。这是我在websecurityConfigureAdapter类中完成的配置 @Override protected void configure(final HttpSecurity http) throws Exception { http .csrf().disable() .au
websecurityConfigureAdapter
类中完成的配置
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/VAADIN/**", "/PUSH/**", "/UIDL/**", "/login", "/login/**", "/error/**", "/accessDenied/**", "/vaadinServlet/**","/myui/**","/test/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().permitAll().defaultSuccessUrl("/myui", true).and()
.sessionManagement().sessionAuthenticationStrategy(sessionControlAuthenticationStrategy());
}
这是我的登录视图
@Route("login")
@Theme(value = Lumo.class, variant = Lumo.DARK)
public class LoginForm extends Div {
public LoginForm(){
init();
}
public void init(){
FormLayout nameLayout = new FormLayout();
TextField username = new TextField();
username.setLabel("UserName");
username.setPlaceholder("username");
PasswordField passwordField = new PasswordField();
passwordField.setLabel("password");
passwordField.setPlaceholder("*****");
Button loginButton = new Button("login");
loginButton.addClickListener(event -> {
});
nameLayout.add(username,passwordField);
add(nameLayout);
}
}
我遇到的问题是,当用户被重定向到
/login
时,我总是看到一个空页面,但在检查Html页面后,我可以看到有vaadin元素,但它们没有出现在浏览器中。这是我的工作配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable() // CSRF handled by Vaadin
.exceptionHandling()
.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
.accessDeniedPage("/accessDenied")
.and()
.authorizeRequests()
// allow Vaadin URLs without authentication
.regexMatchers("/frontend/.*", "/VAADIN/.*", "/login.*", "/accessDenied.*").permitAll()
.regexMatchers(HttpMethod.POST, "/\\?v-r=.*").permitAll()
// deny other URLs until authenticated
.antMatchers("/**").fullyAuthenticated();
}
所有请求都会重定向到登录视图,直到通过身份验证。到目前为止,我没有尝试推送@Push
,因此它可能需要额外的URL才能始终被允许
使用Firefox开发者工具,您可以在控制台中检查XHR调用。如果任何XHR调用因403或其他原因失败,您可能需要调整安全配置
package com.example.test.spring.security;
import com.vaadin.flow.server.ServletHelper;
import com.vaadin.flow.shared.ApplicationConstants;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import javax.servlet.http.HttpServletRequest;
import java.util.stream.Stream;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/VAADIN/**", "/HEARTBEAT/**", "/UIDL/**", "/resources/**"
, "/login", "/login**", "/login/**", "/manifest.json", "/icons/**", "/images/**",
// (development mode) static resources
"/frontend/**",
// (development mode) webjars
"/webjars/**",
// (development mode) H2 debugging console
"/h2-console/**",
// (production mode) static resources
"/frontend-es5/**", "/frontend-es6/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.successForwardUrl("/something")
.and()
.logout()
.permitAll();
}
@Bean
@Override
public UserDetailsService userDetailsService() {
UserDetails user =
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(
// Vaadin Flow static resources
"/VAADIN/**",
// the standard favicon URI
"/favicon.ico",
// web application manifest
"/manifest.json",
// icons and images
"/icons/**",
"/images/**",
// (development mode) static resources
"/frontend/**",
// (development mode) webjars
"/webjars/**",
// (development mode) H2 debugging console
"/h2-console/**",
// (production mode) static resources
"/frontend-es5/**", "/frontend-es6/**");
}
static boolean isFrameworkInternalRequest(HttpServletRequest request) {
final String parameterValue = request.getParameter(ApplicationConstants.REQUEST_TYPE_PARAMETER);
return parameterValue != null
&& Stream.of(ServletHelper.RequestType.values()).anyMatch(r -> r.getIdentifier().equals(parameterValue));
}
}
将web配置更改为此后,我能够解决问题答案有用吗?很有用,感谢您的支持,我已经添加了工作web配置。请提供工作解决方案的完整来源。为什么不使用
isFrameworkInternalRequest
方法,而不是手动定义“heartbeat”、“uidl”等的匹配器。至少你已经写了这个方法?