Spring 安全配置似乎没有效果
Spring Security-Configuration seems to have no effect
我想创建一个简单的登录 - 我已经创建了一个,它按预期工作 - 但是当我启动这个服务器时,它给出了以下输出:
2022-04-15 20:02:27.303 INFO 45172 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Will not secure any request
这是对应的配置文件:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final IUserService userService;
@Autowired
public SecurityConfig(IUserService userService){
this.userService = userService;
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService);
}
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers("/mw_rest_api/**");
}
@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.antMatchers("/login", "/register", "/assets/**").permitAll()
.antMatchers("/", "/control-panel", "/control-panel/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.successHandler(loginSuccessHandler())
.failureHandler(loginFailureHandler())
.and()
.logout()
.permitAll()
.logoutSuccessUrl("/login");
}
}
现在我想知道我是否忘记了一些我没有看到的东西?或者这是 Spring 本身的错误?
注销后删除 permitAll()()
登录后删除 permitAll()("...")
在 configure() 方法中你需要禁用 cref() 然后你可以给你的 authorizeRequests() 和 antMatchers() 我认为一切都很好
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider());
}
@Autowired
private UserDetailsService userDetailsService;
@Bean
public AuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
provider.setPasswordEncoder(NoOpPasswordEncoder.getInstance());
return provider;
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests().antMatchers("/login", "/post/blog/**", "/post/viewpost", "/authentication/create").permitAll()
.antMatchers("/post/filter/page/**", "/post/sorted/page/**", "/post/search/page/**").permitAll()
.antMatchers("/authentication/register", "/review/comment/**").permitAll()
.antMatchers("/post/newPost", "/post/publish", "/post/update", "/post/delete").hasAnyAuthority("ADMIN", "AUTHOR")
.antMatchers( "/review/updateComment", "/review/deleteComment").hasAnyAuthority("ADMIN", "AUTHOR", "USER")
.antMatchers("/rest/authenticate", "/rest/blog/**", "/rest/viewpost/**", "/rest/create").permitAll()
.antMatchers("/rest/filter/page/**", "/rest/sorted/page/**", "/rest/search/page/**", "/rest/comment").permitAll()
.antMatchers("/post/register").permitAll()
.antMatchers("/rest/newPost", "/rest/publish", "/rest/update", "/rest/delete").hasAnyAuthority("ADMIN", "AUTHOR")
.antMatchers("/rest/comment/**", "/rest/updateComment/**", "/post/deleteComment/**").hasAnyAuthority("ADMIN", "AUTHOR", "USER")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/authentication/login").permitAll()
.defaultSuccessUrl("/post/blog")
.and()
.logout().invalidateHttpSession(true)
.clearAuthentication(true)
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/authentication/logout-success").permitAll();
}
}
这是我的代码,你可以参考一下
我在休息时使用 jwt API。
我想创建一个简单的登录 - 我已经创建了一个,它按预期工作 - 但是当我启动这个服务器时,它给出了以下输出:
2022-04-15 20:02:27.303 INFO 45172 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Will not secure any request
这是对应的配置文件:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final IUserService userService;
@Autowired
public SecurityConfig(IUserService userService){
this.userService = userService;
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService);
}
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers("/mw_rest_api/**");
}
@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.antMatchers("/login", "/register", "/assets/**").permitAll()
.antMatchers("/", "/control-panel", "/control-panel/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.successHandler(loginSuccessHandler())
.failureHandler(loginFailureHandler())
.and()
.logout()
.permitAll()
.logoutSuccessUrl("/login");
}
}
现在我想知道我是否忘记了一些我没有看到的东西?或者这是 Spring 本身的错误?
注销后删除 permitAll()() 登录后删除 permitAll()("...")
在 configure() 方法中你需要禁用 cref() 然后你可以给你的 authorizeRequests() 和 antMatchers() 我认为一切都很好
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider());
}
@Autowired
private UserDetailsService userDetailsService;
@Bean
public AuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
provider.setPasswordEncoder(NoOpPasswordEncoder.getInstance());
return provider;
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests().antMatchers("/login", "/post/blog/**", "/post/viewpost", "/authentication/create").permitAll()
.antMatchers("/post/filter/page/**", "/post/sorted/page/**", "/post/search/page/**").permitAll()
.antMatchers("/authentication/register", "/review/comment/**").permitAll()
.antMatchers("/post/newPost", "/post/publish", "/post/update", "/post/delete").hasAnyAuthority("ADMIN", "AUTHOR")
.antMatchers( "/review/updateComment", "/review/deleteComment").hasAnyAuthority("ADMIN", "AUTHOR", "USER")
.antMatchers("/rest/authenticate", "/rest/blog/**", "/rest/viewpost/**", "/rest/create").permitAll()
.antMatchers("/rest/filter/page/**", "/rest/sorted/page/**", "/rest/search/page/**", "/rest/comment").permitAll()
.antMatchers("/post/register").permitAll()
.antMatchers("/rest/newPost", "/rest/publish", "/rest/update", "/rest/delete").hasAnyAuthority("ADMIN", "AUTHOR")
.antMatchers("/rest/comment/**", "/rest/updateComment/**", "/post/deleteComment/**").hasAnyAuthority("ADMIN", "AUTHOR", "USER")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/authentication/login").permitAll()
.defaultSuccessUrl("/post/blog")
.and()
.logout().invalidateHttpSession(true)
.clearAuthentication(true)
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/authentication/logout-success").permitAll();
}
}
这是我的代码,你可以参考一下
我在休息时使用 jwt API。