Java Spring引导安全性:如何跳过本地主机的登录?
我的工作spring boot SecurityConfig当前如下所示:Java Spring引导安全性:如何跳过本地主机的登录?,java,spring,spring-security,Java,Spring,Spring Security,我的工作spring boot SecurityConfig当前如下所示: protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/css/**", "/js/**", "/img/**", "/error&quo
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/css/**", "/js/**", "/img/**", "/error", "/webjars/**", "/login", "**/favicon.ico").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().failureUrl("/login?state=badauth")
.loginPage("/login")
.loginProcessingUrl("/processLogin")
.successHandler(successHandler())
.failureHandler(failureHandler())
.permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login?state=loggedout");
;
}
.antMatchers("/**").hasIpAddress("127.0.0.1").anyRequest().authenticated();
我试图允许本地主机上的用户无需登录即可访问所有资源。我已尝试将以下内容插入链中的各个位置:
.antMatchers("/**").access("hasIpAddress(\"127.0.0.1\") or hasIpAddress(\"::1\")")
这总是会导致非本地主机访问失败,并出现禁用的错误
如何仅在本地主机上绕过用户登录?在进行身份验证之前,请尝试添加hasIpAddress(),如下所示:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/css/**", "/js/**", "/img/**", "/error", "/webjars/**", "/login", "**/favicon.ico").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().failureUrl("/login?state=badauth")
.loginPage("/login")
.loginProcessingUrl("/processLogin")
.successHandler(successHandler())
.failureHandler(failureHandler())
.permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login?state=loggedout");
;
}
.antMatchers("/**").hasIpAddress("127.0.0.1").anyRequest().authenticated();
您可以通过在本地/dev配置文件的
application.properties
文件中添加以下行,尝试在Spring Boot中禁用默认安全性:
security.basic.enabled=false
试试这个
DemoApplication.java
@SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
}
TestController.java
@RestController
public class TestController {
@GetMapping("/secured")
public ResponseEntity secured() {
return ResponseEntity.ok("Access granted");
}
}
WebSecurityConfig.java
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/**")
.access("hasIpAddress('127.0.0.1') or hasIpAddress('::1') or isAuthenticated()") // 127.0.0.1 and localhost do not need to authenticate on any url
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password(passwordEncoder().encode("password"))
.authorities("ROLE_USER");
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
这不是您要问的问题,但您可以使用profile以不同的方式参数化
HttpSecurity
。这对非本地主机用户不起作用:登录表单后,“/”请求与/**通用模式匹配,然后抛出“访问被拒绝(用户不是匿名的)”或者,如果您只想禁用Spring引导安全性,则可以使用基于Java的配置:@configuration@EnableWebSecurity公共类SecurityConfig extensed websecurityConfigureAdapter{@Override protected void configure(HttpSecurity security)抛出异常{security.httpBasic().disable();}
一定要让我知道这些解决方案是否适合您。就是这样。“或isAuthenticated()”似乎是缺少的链接。非常感谢。