我使用spring版本3.0.5和spring安全版本6.0.2,面临访问我通过SecurityFilterChain配置的公共url的问题,我使用spring MVC。AppConfig类在
下面package com.test.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity
public class AppConfig {
@Bean
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.csrf(csrf -> csrf.disable()).authorizeHttpRequests(
auth -> auth.requestMatchers("/home").permitAll().anyRequest().authenticated());
return http.build();
}
}
基本控制器如下
package com.test.controller;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
@Controller
public class BasicController {
@GetMapping("/home")
public String showHome(Model model) {
model.addAttribute("title", "Home Page");
return "guest/home";
}
@GetMapping("/login")
public String showLogin(Model model) {
model.addAttribute("title", "Login Page");
return "guest/loginPage";
}
@GetMapping("/user/index")
public String getUserHome(Model model) {
model.addAttribute("title", "User Home");
return "user/home";
}
}
应用程序。属性文件
server.port=8100
spring.security.user.name=abcd
spring.security.user.password=xyz
logging.level.org.springframework.security=DEBUG
以下是我的HTML页面,位于模板->客人→首页我也有一个基类,我没有提到。
<!doctype html>
<html lang="en" xmlns:th="http://www.thymeleaf.org"
th:replace="guest/base::layout(~{::section})">
<head>
<meta charset="UTF-8" />
<title>Home Page</title>
</head>
<body>
<section>
<span>I am in home page.</span>
</section>
</body>
</html>
最后,当我点击localhost:8100/home
时,我得到以下错误
[2m2023-04-01T06:18:27.012+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.security.web.FilterChainProxy [0;39m [2m:[0;39m Securing GET /home
[2m2023-04-01T06:18:27.013+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.security.web.FilterChainProxy [0;39m [2m:[0;39m Secured GET /home
[2m2023-04-01T06:18:27.015+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.security.web.FilterChainProxy [0;39m [2m:[0;39m Securing GET /guest/home
[2m2023-04-01T06:18:27.015+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2023-04-01T06:18:27.016+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.s.HttpSessionRequestCache [0;39m [2m:[0;39m Saved request http://localhost:8100/guest/home?continue to session
[2m2023-04-01T06:18:27.016+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.a.Http403ForbiddenEntryPoint [0;39m [2m:[0;39m Pre-authenticated entry point called. Rejecting access
[2m2023-04-01T06:18:27.016+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.security.web.FilterChainProxy [0;39m [2m:[0;39m Securing GET /error
[2m2023-04-01T06:18:27.017+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2023-04-01T06:18:27.017+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.s.HttpSessionRequestCache [0;39m [2m:[0;39m Saved request http://localhost:8100/error?continue to session
[2m2023-04-01T06:18:27.017+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.a.Http403ForbiddenEntryPoint [0;39m [2m:[0;39m Pre-authenticated entry point called. Rejecting access
[2m2023-04-01T06:18:27.255+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.security.web.FilterChainProxy [0;39m [2m:[0;39m Securing GET /home
[2m2023-04-01T06:18:27.256+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.security.web.FilterChainProxy [0;39m [2m:[0;39m Secured GET /home
[2m2023-04-01T06:18:27.257+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.security.web.FilterChainProxy [0;39m [2m:[0;39m Securing GET /guest/home
[2m2023-04-01T06:18:27.257+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2023-04-01T06:18:27.258+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.s.HttpSessionRequestCache [0;39m [2m:[0;39m Saved request http://localhost:8100/guest/home?continue to session
[2m2023-04-01T06:18:27.258+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.a.Http403ForbiddenEntryPoint [0;39m [2m:[0;39m Pre-authenticated entry point called. Rejecting access
[2m2023-04-01T06:18:27.258+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.security.web.FilterChainProxy [0;39m [2m:[0;39m Securing GET /error
[2m2023-04-01T06:18:27.259+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2023-04-01T06:18:27.259+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.s.HttpSessionRequestCache [0;39m [2m:[0;39m Saved request http://localhost:8100/error?continue to session
[2m2023-04-01T06:18:27.259+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.a.Http403ForbiddenEntryPoint [0;39m [2m:[0;39m Pre-authenticated entry point called. Rejecting access
我希望当我在安全过滤器链中命中permitAll的公共url时,它们应该是可访问的。
在spring security 6中,授权过滤器适用于每个分派类型。即DispatcherType。错误,DispatcherType。
像这样更新:
http.csrf(csrf -> csrf
.disable())
.authorizeHttpRequests(auth -> auth
.requestMatchers("/home")
.permitAll()
.dispatcherTypeMatchers(DispatcherType.ERROR)
.permitAll()
.anyRequest()
.authenticated());