问题:我无法访问位于spring启动项目默认资源文件夹下的静态资源,如图像,js或css文件。我使用的是春季启动版本(2.4.9)。现在,在做了大量的研究之后,我想到了一个解决方案,这是我在spring文档网站上找到的,即使用以下代码:
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
项目目录结构:
项目目录截图
SecurityConfiguration文件:
package com.pisoft.informatics.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class DemoSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;
//bcrypt bean definition
/*
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
*/
@Autowired
private MeriCustomAuthenticationProvider authProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//auth.authenticationProvider(authenticationProvider());
auth.authenticationProvider(authProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
//.antMatchers("/resources/**").permitAll()
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/")
.loginProcessingUrl("/authenticateTheUser")
.successHandler(customAuthenticationSuccessHandler)
.permitAll()
.and()
.logout()
.permitAll()
.and()
.csrf().disable();
}
}
CustomAuthenticationProvider文件:
package com.pisoft.informatics.security;
import java.util.ArrayList;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.stereotype.Component;
import com.pisoft.informatics.entity.user.CrmUser;
import com.pisoft.informatics.misc.EncryptionUtil1;
import com.pisoft.informatics.service.user.CrmUserService;
@Component
public class MeriCustomAuthenticationProvider implements AuthenticationProvider{
@Autowired
private CrmUserService userService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String name = authentication.getName();
String password = authentication.getCredentials().toString();
//System.out.println("name :"+name+" password :"+password);
// use the credentials
CrmUser user= userService.findByUserName(name);
if(user!=null) {
if(password.equalsIgnoreCase(EncryptionUtil1.decode(user.getPassword()))) {
if(user.getStatus().equalsIgnoreCase("Active")) {
return new UsernamePasswordAuthenticationToken(name, password, new ArrayList<>());
}
else {
return null;
}
}
else {
return null;
}
}
else {
return null;
}
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
SecurityWebApplicationInitializer文件:
package com.pisoft.informatics.security;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer{
}
CustomAuthenticationSuccessHandler文件:
package com.pisoft.informatics.security;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.stereotype.Component;
import com.pisoft.informatics.misc.*;
import com.pisoft.informatics.entity.user.CrmUser;
import com.pisoft.informatics.service.sidebar.ServiceHeader;
import com.pisoft.informatics.service.user.CrmUserService;
@Component
public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Autowired
private CrmUserService crmUserService;
@Autowired
private ServiceHeader headerService;
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
String userName = authentication.getName();
CrmUser theUser = crmUserService.findByUserName(userName);
// now place in the session
HttpSession session = request.getSession();
session.setAttribute("CRMUserDetails", theUser);
session.setAttribute("allMenus", headerService.getMeAllMainMenus());
session.setAttribute("greetings", WishUtill.Wish());
// forward to home page
response.sendRedirect(request.getContextPath() + "/dashboard");
}
}
您在/static下有相当多的目录与PathRequest.toStaticResources().atCommonLocations()不匹配。匹配的位置如下:/static/css/**,/static/js/**,/static/images/**,/static/webjars/**,/static/favicon。*和/static/*/icon-*。这就是为什么你的图像是可访问的。您需要为您的自定义位置添加antMatchers与permitAll()(例如antMatchers("/build/**", "/delete-popup/**", ...).permitAll())。