不登录就无法访问静态资源目录（我正在使用 spring 安全性）

Question

问题：我无法访问位于 spring 引导项目的默认资源文件夹下的静态资源，如图像、js 或 css 文件。我正在使用 spring 引导版本 (2.4.9)。现在，经过大量研究，我想出了一个在 spring 文档网站上找到的解决方案，即使用以下代码：

.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()

有趣的是，使用这段代码后，我仍然无法访问资源文件夹下的任何文件或文件夹，但我可以访问名为images[=39=的文件夹]（我做的）在resources文件夹下。任何解决方案或有用的提示？

我项目的目录结构：

screenshot of project directory

安全配置文件：

package com.pisoft.informatics.security; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.security.servlet.PathRequest; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration @EnableWebSecurity public class DemoSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler; //bcrypt bean definition /* @Bean public BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } */ @Autowired private MeriCustomAuthenticationProvider authProvider; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { //auth.authenticationProvider(authenticationProvider()); auth.authenticationProvider(authProvider); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() //.antMatchers("/resources/**").permitAll() .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/") .loginProcessingUrl("/authenticateTheUser") .successHandler(customAuthenticationSuccessHandler) .permitAll() .and() .logout() .permitAll() .and() .csrf().disable(); } }

CustomAuthenticationProvider 文件：

package com.pisoft.informatics.security; import java.util.ArrayList; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.stereotype.Component; import com.pisoft.informatics.entity.user.CrmUser; import com.pisoft.informatics.misc.EncryptionUtil1; import com.pisoft.informatics.service.user.CrmUserService; @Component public class MeriCustomAuthenticationProvider implements AuthenticationProvider{ @Autowired private CrmUserService userService; @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String name = authentication.getName(); String password = authentication.getCredentials().toString(); //System.out.println("name :"+name+" password :"+password); // use the credentials CrmUser user= userService.findByUserName(name); if(user!=null) { if(password.equalsIgnoreCase(EncryptionUtil1.decode(user.getPassword()))) { if(user.getStatus().equalsIgnoreCase("Active")) { return new UsernamePasswordAuthenticationToken(name, password, new ArrayList<>()); } else { return null; } } else { return null; } } else { return null; } } @Override public boolean supports(Class<?> authentication) { return authentication.equals(UsernamePasswordAuthenticationToken.class); } }

SecurityWebApplicationInitializer 文件：

package com.pisoft.informatics.security; import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer; public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer{ }

CustomAuthenticationSuccessHandler 文件：

package com.pisoft.informatics.security; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.stereotype.Component; import com.pisoft.informatics.misc.*; import com.pisoft.informatics.entity.user.CrmUser; import com.pisoft.informatics.service.sidebar.ServiceHeader; import com.pisoft.informatics.service.user.CrmUserService; @Component public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler { @Autowired private CrmUserService crmUserService; @Autowired private ServiceHeader headerService; @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { String userName = authentication.getName(); CrmUser theUser = crmUserService.findByUserName(userName); // now place in the session HttpSession session = request.getSession(); session.setAttribute("CRMUserDetails", theUser); session.setAttribute("allMenus", headerService.getMeAllMainMenus()); session.setAttribute("greetings", WishUtill.Wish()); // forward to home page response.sendRedirect(request.getContextPath() + "/dashboard"); } }

Answer 1

您在 /static 下有很多目录 PathRequest.toStaticResources().atCommonLocations() 不匹配。以下位置匹配：/static/css/**、/static/js/**、/static/images/**、/static/webjars/**、/static/favicon.*、和 /static/*/icon-*。这就是为什么您的图像可以访问的原因。您需要使用 permitAll()（例如 antMatchers("/build/**", "/delete-popup/**", ...).permitAll().

）为您的自定义位置添加 antMatchers

不登录就无法访问静态资源目录（我正在使用 spring 安全性）

Not able to access static resources directory without logging in(I am using spring security)

java

jsp

spring-mvc

spring-security

spring-boot