Vaadin 和 WebSecurity 中的 permitAll 问题 - 不工作 [英] Problem with permitAll in Vaadin and WebSecurity - not working
问题描述
@Route 在 Vaadin 中创建的视图很少,现在我想添加安全性和一些登录.在我的 SecurityConfiguration 类中,我只为 2 个视图设置了 antMatchers.permitAll(),其余的则为 Role ADMIN.但它并没有像我认为的那样工作.它需要登录才能访问每个视图,登录后无论用户具有什么角色,我都可以访问所有视图.
I have few views made in Vaadin by @Route and now I want to add Security and some Login. In my SecurityConfiguration class I'm setting antMatchers.permitAll() only for 2 views and for the rest with Role ADMIN. But it is not working as I think it should. It demands login to access every view, and after login I have access to all views no matter what role has the user.
我希望本教程对我有所帮助,但没有登录就无法访问视图.
I hoped this tutorial will help me, but in there are no views accessible without login.
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private UserService userService;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Autowired
public SecurityConfiguration(UserService userService) {
this.userService = userService;
}
@Autowired
private void configureAuth(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService);
auth.inMemoryAuthentication()
.withUser("user")
.password(passwordEncoder().encode("user"))
.roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and()
.anonymous()
.and()
.authorizeRequests()
.antMatchers("/", "/login").permitAll()
.antMatchers("/recipe-manager", "/ingredient-manager").hasAnyRole("ADMIN")
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().logoutSuccessUrl("/")
.and()
.csrf().disable().cors().disable().headers().disable();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(
"/VAADIN/**",
"/favicon.ico",
"/robots.txt",
"/manifest.webmanifest",
"/sw.js",
"/offline-page.html",
"/icons/**",
"/images/**",
"/frontend/**",
"/webjars/**",
"/h2-console/**",
"/frontend-es5/**", "/frontend-es6/**");
}
}
我的视图有如下注释:
@Route("recipe-manager")
public class RecipeManagerView extends VerticalLayout
@Route("")
public class RecipeBrowserView extends VerticalLayout
@Route("login")
public class LoginView extends VerticalLayout
@Route("ingredient-manager")
public class IngredientManagerView extends VerticalLayout
我希望任何人都可以访问 RecipeBrowserView 和 LoginView,但只有登录用户才能访问 RecipeManagerView 和 IngredientMangerView.
I would expect that anyone can have access to RecipeBrowserView and LoginView, but only logged user can have access to RecipeManagerView and IngredientMangerView.
推荐答案
您不能对 Vaadin 路由使用 Spring Security 中基于路径的匹配.Spring Security 根据请求路径进行匹配,而 Vaadin 内部从一个视图到另一个视图的导航作为元数据在内部请求中发送,该请求始终转到相同的硬编码路径.
You cannot use path based matching from Spring Security for Vaadin routes. Spring Security does the matching based on request paths whereas navigation from one view to another inside Vaadin is sent as metadata inside an internal request that always goes to the same hardcoded path.
相反,您可以在 Vaadin 提供的拦截器中实现您的访问控制逻辑.你可以看看 https://vaadin.com/tutorials/secure-your-app-with-spring-security 以了解更多相关信息.
Instead, you can implement your access control logic in an interceptor provided by Vaadin. You can have a look at https://vaadin.com/tutorials/securing-your-app-with-spring-security to find out more about this.
这篇关于Vaadin 和 WebSecurity 中的 permitAll 问题 - 不工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
