Spring Security不断将我重定向到登录页面 [英] Spring Security keeps redirecting me to login page

问题描述

我在地址栏中输入的任何链接都会使我重定向到登录页面.我该如何预防呢?

What ever link I type in the address bar it keeps redirecting me to the login page. How can I prevent that?

例如，如果我添加 http://localhost:8080/asdasdsa >，它将重定向我到 http://localhost:8080/account/login ，因此，如果我在 http://localhost:8080/我将被重定向到帐户/登录视图.

For example if i add http://localhost:8080/asdasdsa > it will redirect me to http://localhost:8080/account/login, so if i add anything after http://localhost:8080/ i will be redirected to account/login view.

我的安全配置:

package com.example.configuration;

import javax.sql.DataSource;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private BCryptPasswordEncoder bCryptPasswordEncoder;

    @Autowired
    private DataSource dataSource;

    @Value("${spring.queries.users-query}")
    private String usersQuery;

    @Value("${spring.queries.roles-query}")
    private String rolesQuery;

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth
            .jdbcAuthentication()
                .usersByUsernameQuery(usersQuery)
                .authoritiesByUsernameQuery(rolesQuery)
                .dataSource(dataSource)
                .passwordEncoder(bCryptPasswordEncoder);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
            .authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/index").permitAll()
                .antMatchers("/other/other").permitAll()
                .antMatchers("/account/login").permitAll()
                .antMatchers("/account/registration").permitAll()
                .antMatchers("/account/admin/**").hasAuthority("ADMIN")
                .anyRequest().authenticated()
                .and()
            .csrf().disable()
            .formLogin()
                .loginPage("/account/login")
                .failureUrl("/account/login?error=true")
                .defaultSuccessUrl("/account/admin/")
                .usernameParameter("email")
                .passwordParameter("password")
                .and()
            .logout().permitAll()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/")
                .and()
            .exceptionHandling()
                .accessDeniedPage("/access-denied");
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
           .ignoring()
               .antMatchers("/resources/**", "/static/**", "/css/**", "/js/**", "/images/**", "/img/**");
    }
}

推荐答案

您配置为必须对所有其他URL进行身份验证，请参见

You configured that all other URLs must be authenticated, see Spring Security Reference:

授权请求

我们的示例仅要求对用户进行身份验证，并且需要对应用程序中的每个URL进行身份验证.通过将多个子代添加到 http.authorizeRequests()方法中，我们可以为URL指定自定义要求.例如:

Our examples have only required users to be authenticated and have done so for every URL in our application. We can specify custom requirements for our URLs by adding multiple children to our http.authorizeRequests() method. For example:

protected void configure(HttpSecurity http) throws Exception {
  http
      .authorizeRequests()                                                          1
          .antMatchers("/resources/**", "/signup", "/about").permitAll()            2
          .antMatchers("/admin/**").hasRole("ADMIN")                                3
          .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")      4
          .anyRequest().authenticated()                                             5
          .and()
      // ...
      .formLogin();
}

1 http.authorizeRequests()方法有多个子级，每个匹配器都按照声明它们的顺序被考虑.

1 There are multiple children to the http.authorizeRequests() method each matcher is considered in the order they were declared.

2 我们指定了任何用户都可以访问的多个URL模式.具体来说，如果URL以"/resources/"开头，等于"/signup"或等于"/about"，则任何用户都可以访问请求.

2 We specified multiple URL patterns that any user can access. Specifically, any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about".

3 任何以"/admin/"开头的URL都将限于角色为"ROLE_ADMIN"的用户.您将注意到，由于我们正在调用hasRole方法，因此无需指定"ROLE_"前缀.

3 Any URL that starts with "/admin/" will be restricted to users who have the role "ROLE_ADMIN". You will notice that since we are invoking the hasRole method we do not need to specify the "ROLE_" prefix.

4 任何以"/db/"开头的URL都要求用户同时具有"ROLE_ADMIN"和"ROLE_DBA".您会注意到，由于我们使用的是hasRole表达式，因此无需指定"ROLE_"前缀.

4 Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA". You will notice that since we are using the hasRole expression we do not need to specify the "ROLE_" prefix.

5 任何尚未匹配的URL仅要求对用户进行身份验证

5 Any URL that has not already been matched on only requires that the user be authenticated

这篇关于Spring Security不断将我重定向到登录页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！