Fatal编程技术网
  • spring-boot/
  • Spring boot 配置spring security AntMatcher在spring引导版本1.5.7下不工作

Spring boot 配置spring security AntMatcher在spring引导版本1.5.7下不工作

spring-boot spring-security

Spring boot 配置spring security AntMatcher在spring引导版本1.5.7下不工作,spring-boot,spring-security,Spring Boot,Spring Security,我尝试使用spring security设置安全链 配置类:WebappSecurityConfig.java @Configuration @Order(SecurityProperties.BASIC_AUTH_ORDER - 10) //@EnableWebSecurity public class WebappSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void co

我尝试使用spring security设置安全链

配置类:WebappSecurityConfig.java

@Configuration
@Order(SecurityProperties.BASIC_AUTH_ORDER - 10)
//@EnableWebSecurity
public class WebappSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http

                .antMatcher("/demo/**")
                .authorizeRequests()
                .antMatchers("/", "/demo/hello/").hasAnyRole("TEST")
                .and()
                .httpBasic();


    }

    @Bean
    @Override
    public UserDetailsService userDetailsService() {
        UserDetails user =
                User.withUsername("user")
                        .password("password")
                        .roles("USER")
                        .build();

        return new InMemoryUserDetailsManager(Stream.of(user).collect(Collectors.toList()) );
    }
}

@RestController
@RequestMapping("/demo")
public class HelloController {

    @RequestMapping("/hello")
//    @Secured("ROLE_TEST")
    public String helloUser(){
        return "hello";
    }
}
控制器类:HelloController.java

@Configuration
@Order(SecurityProperties.BASIC_AUTH_ORDER - 10)
//@EnableWebSecurity
public class WebappSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http

                .antMatcher("/demo/**")
                .authorizeRequests()
                .antMatchers("/", "/demo/hello/").hasAnyRole("TEST")
                .and()
                .httpBasic();


    }

    @Bean
    @Override
    public UserDetailsService userDetailsService() {
        UserDetails user =
                User.withUsername("user")
                        .password("password")
                        .roles("USER")
                        .build();

        return new InMemoryUserDetailsManager(Stream.of(user).collect(Collectors.toList()) );
    }
}

@RestController
@RequestMapping("/demo")
public class HelloController {

    @RequestMapping("/hello")
//    @Secured("ROLE_TEST")
    public String helloUser(){
        return "hello";
    }
}
然后我用邮递员发送GET请求

我的期望是请求应该被拒绝,因为我已经配置了角色“用户”不应该有权访问请求映射路径<代码>/demo/hello

日志记录详细信息:

2018-10-12 16:58:02.695 DEBUG 31380 --- [io-10088-exec-5] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/css/**']
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/css/**'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/js/**']
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/js/**'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/images/**']
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/images/**'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/webjars/**']
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/webjars/**'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/**/favicon.ico']
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/**/favicon.ico'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/error']
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/error'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/demo/**'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-10-12 16:58:02.696 DEBUG 31380 --- [io-10088-exec-5] w.c.HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@442b5a9f: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@442b5a9f: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@5ea45a
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /demo/hello' doesn't match 'POST /logout
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 6 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.a.www.BasicAuthenticationFilter  : Basic Authentication Authorization header found for user 'user'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2018-10-12 16:58:02.697 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.a.AnonymousAuthenticationFilter  : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@442b5a9f: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER'
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/'
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/demo/hello'; against '/demo/hello/'
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor    : Public object - authentication not attempted
2018-10-12 16:58:02.698 DEBUG 31380 --- [io-10088-exec-5] o.s.security.web.FilterChainProxy        : /demo/hello reached end of additional filter chain; proceeding with original chain
2018-10-12 16:58:02.700 DEBUG 31380 --- [io-10088-exec-5] o.s.s.w.a.ExceptionTranslationFilter     : Chain processed normally
2018-10-12 16:58:02.700 DEBUG 31380 --- [io-10088-exec-5] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
为了解决这个问题,我必须启用方法安全性来指定每个API的权威角色

请告知?

我发现了问题。postman中的请求丢失
/
,这就是为什么任何匹配器都不工作的原因

您可以编辑WebappSecurityConfig类并将@EnableWebSecurity、@EnableGlobalMethodSecurity(securedEnabled=true)添加到此类的顶部。您注意到securedEnabled允许使用@Secured。然后,在configure方法中,将hasAnyRole('ROLE_TEST')添加到antMatchers。您可以参考以下内容:

@Configuration
@Order(SecurityProperties.BASIC_AUTH_ORDER - 10)
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebappSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http

          .antMatcher("/demo/**")
          .authorizeRequests()
          .antMatchers("/", "/demo/hello/").access("hasAnyRole('ROLE_TEST')")
          .and()
          .httpBasic();
    }

    @Bean
    @Override
    public UserDetailsService userDetailsService() {
        UserDetails user =
                User.withUsername("user").password("password").roles("USER").build();
        return new InMemoryUserDetailsManager(Stream.of(user).collect(Collectors.toList()) );
    }
}
在hello方法中,您将@Secured(“ROLE_TEST”)添加到helloUser方法中:

@RequestMapping("/hello")

@Secured("ROLE_TEST")

public String helloUser() {
  return "hello";
}
也许从Spring安全配置中删除斜杠会更好?我可以这样做,但如果Spring安全框架在处理Antmatcher时不严格对待斜杠会更好