防止spring-security将无效URL重定向到登录页面 [英] Preventing spring-security to redirect invalid urls to login page

问题描述

我已经设置了一个spring-boot + spring-mvc + spring-security项目。

I've setup a spring-boot + spring-mvc + spring-security project.

除了无效的网址外，一切都按预期工作。

Everything work as expected right now except for the invalid urls.

如果我发出：

http://siteaddr.com/invalid/url

我希望看到我的404找不到页面，但是spring-security首先重定向到登录页面并且在身份验证后显示404未找到！

I expect to see my 404 not found page, but spring-security redirects to login page first and after authentication shows 404 not found!

我认为这不应该如何工作！

I don't think this is how it should work!

这是我的Websecurity配置：

Here is my Websecurity config:

package com.webitalkie.webapp.config;

import java.util.EnumSet;

import javax.servlet.DispatcherType;
import javax.servlet.ServletContext;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;

import com.webitalkie.webapp.security.DatabaseUserDetailsServic;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private DatabaseUserDetailsServic userDetailsService;
    @Autowired
    private ServletContext servletContext;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        servletContext.getFilterRegistration(AbstractSecurityWebApplicationInitializer
                .DEFAULT_FILTER_NAME).addMappingForUrlPatterns(EnumSet
                        .allOf(DispatcherType.class), false, "/*");

        http.csrf().disable();
        http.authorizeRequests()
        .antMatchers("/home/", "/home", "/home/index", "/", "/favicon.ico").permitAll()
        .antMatchers("/contents/**").permitAll()
        .anyRequest().authenticated()
        .and()
        .formLogin()
        .loginPage("/home/loginsec").failureUrl("/loginsecerror").permitAll()
        .and()
        .logout()
        .logoutUrl("/home/logout")
        .logoutSuccessUrl("/home/index")
        .invalidateHttpSession(true);

    }

    @Override
    @org.springframework.beans.factory.annotation.Autowired
    protected void configure(
            org.springframework.security.config.annotation
            .authentication.builders.AuthenticationManagerBuilder auth) throws Exception {

        auth.userDetailsService(userDetailsService).passwordEncoder(getPasswordEncoder());
    }

    public PasswordEncoder getPasswordEncoder() {

        return new BcryptPasswordEncoder(11);
    }
}

你们有什么想法吗？

推荐答案

要自定义特定用例，请按建议应用反转逻辑。你可以这样做：

To customize your particular use case apply the inverted logic as suggested. You could do like this:

1）替换

.anyRequest().authenticated()

by

.anyRequest().anonymous()

2）添加

.antMatchers("/protected-urls/**").authenticated()

2）中的规则必须在1）之前，因为第一场比赛适用。除非您有受保护资源的公共网址前缀，否则您必须逐个声明所有经过身份验证的网址。

The rule in 2) must come before that in 1) as the first match applies. Unless you have a common url prefix for protected resources you'll have to declare all the authenticated urls one by one.

您还可以应用其他配置覆盖

You can also apply additional configuration overriding the

public void configure(WebSecurity web)...

例如忽略静态资源：

web.ignoring().antMatchers("/favicon.ico", "*.css")

希望有所帮助。

这篇关于防止spring-security将无效URL重定向到登录页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！