Java Spring Boot 2和JWT的安全性无法为angular build的静态内容提供服务
我正在用spring安全性和JWT身份验证令牌构建spring boot应用程序,只有当我只提供rest API时,它才能正常运行,但现在我还想托管angular文件,所以我在spring boot的可执行文件war中添加了angular build,地址为/WEB-INF/classes/static/,现在我想托管静态目录中的所有文件都可以从/ 我尝试了很多东西,下面是我的代码Java Spring Boot 2和JWT的安全性无法为angular build的静态内容提供服务,java,spring-boot,spring-security,websecurity,Java,Spring Boot,Spring Security,Websecurity,我正在用spring安全性和JWT身份验证令牌构建spring boot应用程序,只有当我只提供rest API时,它才能正常运行,但现在我还想托管angular文件,所以我在spring boot的可执行文件war中添加了angular build,地址为/WEB-INF/classes/static/,现在我想托管静态目录中的所有文件都可以从/ 我尝试了很多东西,下面是我的代码 @Configuration @EnableWebSecurity @EnableGlobalMethodSecu
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
securedEnabled = true,
jsr250Enabled = true,
prePostEnabled = true
)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
CustomUserDetailsService customUserDetailsService;
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
@Bean
public JwtAuthenticationFilter jwtAuthenticationFilter() {
return new JwtAuthenticationFilter();
}
@Override
public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder
.userDetailsService(customUserDetailsService)
.passwordEncoder(passwordEncoder());
}
@Bean(BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
// @Override
// public void configure(WebSecurity web) throws Exception {
// web.ignoring().requestMatchers().antMatchers("/static/**").antMatchers("/api/auth/**");
// }
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// .cors()
// .and()
// .csrf()
// .disable()
// .exceptionHandling()
// .authenticationEntryPoint(unauthorizedHandler)
// .and()
// .sessionManagement()
// .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
// .and()
// .requestMatchers().antMatchers("/static/**").and()
.authorizeRequests()
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.antMatchers("/api/auth/**")
.permitAll()
.antMatchers("/api/user/checkUsernameAvailability", "/api/user/checkEmailAvailability")
.permitAll()
.antMatchers("/api/test/**")
.permitAll()
.antMatchers("/", "/static/**")
.permitAll()
.anyRequest()
.authenticated();
// Add our custom JWT security filter
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
@Configuration
public class WebMvcConfig implements WebMvcConfigurer {
private final long MAX_AGE_SECS = 3600;
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*")
.allowedMethods("HEAD", "OPTIONS", "GET", "POST", "PUT", "PATCH", "DELETE")
.maxAge(MAX_AGE_SECS);
}
@Override
public void configurePathMatch(PathMatchConfigurer configurer) {
// TODO Auto-generated method stub
}
@Override
public void configureContentNegotiation(ContentNegotiationConfigurer configurer) {
// TODO Auto-generated method stub
}
@Override
public void configureAsyncSupport(AsyncSupportConfigurer configurer) {
// TODO Auto-generated method stub
}
@Override
public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
// TODO Auto-generated method stub
}
@Override
public void addFormatters(FormatterRegistry registry) {
// TODO Auto-generated method stub
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
// TODO Auto-generated method stub
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
// registry.addResourceHandler("/static/**").addResourceLocations("classpath:/static");
}
@Override
public void addViewControllers(ViewControllerRegistry registry) {
// TODO Auto-generated method stub
}
@Override
public void configureViewResolvers(ViewResolverRegistry registry) {
// TODO Auto-generated method stub
}
@Override
public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
// TODO Auto-generated method stub
}
@Override
public void addReturnValueHandlers(List<HandlerMethodReturnValueHandler> returnValueHandlers) {
// TODO Auto-generated method stub
}
@Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
// TODO Auto-generated method stub
}
@Override
public void extendMessageConverters(List<HttpMessageConverter<?>> converters) {
// TODO Auto-generated method stub
}
@Override
public void configureHandlerExceptionResolvers(List<HandlerExceptionResolver> exceptionResolvers) {
// TODO Auto-generated method stub
}
@Override
public void extendHandlerExceptionResolvers(List<HandlerExceptionResolver> exceptionResolvers) {
// TODO Auto-generated method stub
}
@Override
public Validator getValidator() {
// TODO Auto-generated method stub
return null;
}
@Override
public MessageCodesResolver getMessageCodesResolver() {
// TODO Auto-generated method stub
return null;
}
}
您可能需要更多的上下文,但这里有一个可能的解决方案 我认为可能发生的事情是Spring正在从静态文件夹/静态文件夹中提供您的内容,正如您告诉我们的那样(它甚至是一个默认的Spring启动文件夹) 但是spring不知道它需要将请求从例如:
localhost:8080/localhost:8080/index.html注意:如果没有进一步的细节,很难理解可能发生的情况:)您可能需要更多的上下文,但这里有一个可能的解决方案 我认为可能发生的事情是Spring正在从静态文件夹/静态文件夹中提供您的内容,正如您告诉我们的那样(它甚至是一个默认的Spring启动文件夹) 但是spring不知道它需要将请求从例如:
localhost:8080/localhost:8080/index.html注意:如果没有进一步的细节,就很难理解可能发生的事情:)您能再详细说明一下发生的事情吗?当您尝试打开localhost:8080/时失败了吗?您能提供更多关于发生了什么的细节吗?当您尝试打开localhost:8080/时失败了吗?它在localhost:8080/上提供index.html,并为放置在同一目录中的其他js和css文件返回403。如果它服务正确,并且您得到403,则您的安全筛选器似乎正在捕获这些路径。如果路径不是/api/*,则建议忽略该路径(假设您的所有api都位于此路径上)它在localhost:8080/上提供index.html,并为放置在同一目录中的其他js和css文件返回403。如果它服务正确,并且您得到403,则您的安全筛选器似乎正在捕获这些路径。如果路径不是/api/*,则建议忽略该路径(假设您的所有API都在此路径上)
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Autowired
private JwtTokenProvider tokenProvider;
@Autowired
private CustomUserDetailsService customUserDetailsService;
private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class);
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
try {
String jwt = getJwtFromRequest(request);
if (StringUtils.hasText(jwt) && tokenProvider.validateToken(jwt)) {
String userId = tokenProvider.getUserIdFromJWT(jwt);
/*
Note that you could also encode the user's username and roles inside JWT claims
and create the UserDetails object by parsing those claims from the JWT.
That would avoid the following database hit. It's completely up to you.
*/
UserDetails userDetails = customUserDetailsService.loadUserById(userId);
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
userDetails, null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
} catch (Exception ex) {
logger.error("Could not set user authentication in security context", ex);
}
filterChain.doFilter(request, response);
}
private String getJwtFromRequest(HttpServletRequest request) {
String bearerToken = request.getHeader("Authorization");
if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
return bearerToken.substring(7, bearerToken.length());
}
return null;
}
}