在 Spring Boot & 中提供静态 Web 资源Spring 安全应用程序 [英] Serving static web resources in Spring Boot & Spring Security application
问题描述
我正在尝试开发 Spring Boot Web 应用程序并使用 Spring security java 配置保护它.
I am trying to develop Spring Boot web application and securing it using Spring security java configuration.
按照建议将我的静态 Web 资源放入src/main/resources/public"后在 Spring 博客中,我可以获得静态资源.即在浏览器中点击 https://localhost/test.html 确实提供了 html 内容.
After placing my static web resources in 'src/main/resources/public' as advised here in Spring blog, I am able to get the static resources. i.e hitting https://localhost/test.html in browser do serves the html content.
启用 Spring Security 后,点击静态资源 URL 需要身份验证.
After I enabled Spring Security, hitting the static resource URL requires authentication.
我的相关 Spring Security Java 配置如下所示:-
My relevent Spring Security Java config looks like this:-
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.
authorizeRequests()
.antMatchers("/","/public/**", "/resources/**","/resources/public/**")
.permitAll()
.antMatchers("/google_oauth2_login").anonymous()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/")
.loginProcessingUrl("/login")
.defaultSuccessUrl("/home")
.and()
.csrf().disable()
.logout()
.logoutSuccessUrl("/")
.logoutUrl("/logout") // POST only
.and()
.requiresChannel()
.anyRequest().requiresSecure()
.and()
.addFilterAfter(oAuth2ClientContextFilter(),ExceptionTranslationFilter.class)
.addFilterAfter(googleOAuth2Filter(),OAuth2ClientContextFilter.class)
.userDetailsService(userService);
// @formatter:on
}
我应该如何配置 antMatchers 以允许放置在 src/main/resources/public 中的静态资源?
How should I configure antMatchers to permit static resources placed inside src/main/resources/public ?
推荐答案
有几点需要注意:
- Ant 匹配器匹配请求路径,而不是文件系统上资源的路径.
- 放置在
src/main/resources/public中的资源将从您的应用程序的根目录提供.例如src/main/resources/public/hello.jpg将从http://localhost:8080/hello.jpg 提供
- The Ant matchers match against the request path and not the path of the resource on the filesystem.
- Resources placed in
src/main/resources/publicwill be served from the root of your application. For examplesrc/main/resources/public/hello.jpgwould be served fromhttp://localhost:8080/hello.jpg
这就是您当前的匹配器配置不允许访问静态资源的原因.要使 /resources/** 工作,您必须将资源放在 src/main/resources/public/resources 中,并在 http://localhost:8080/resources/your-resource.
This is why your current matcher configuration hasn't permitted access to the static resources. For /resources/** to work, you would have to place the resources in src/main/resources/public/resources and access them at http://localhost:8080/resources/your-resource.
当您使用 Spring Boot 时,您可能需要考虑使用其默认值而不是添加额外的配置.默认情况下,Spring Boot 将允许访问 /css/**、/js/**、/images/** 和/**/favicon.ico.例如,您可以有一个名为 src/main/resources/public/images/hello.jpg 的文件,并且无需添加任何额外配置,就可以在 http://localhost:8080/images/hello.jpg 无需登录.您可以在 允许网络方法安全冒烟测试到 Bootstrap CSS 文件,无需任何特殊配置.
As you're using Spring Boot, you may want to consider using its defaults rather than adding extra configuration. Spring Boot will, by default, permit access to /css/**, /js/**, /images/**, and /**/favicon.ico. You could, for example, have a file named src/main/resources/public/images/hello.jpg and, without adding any extra configuration, it would be accessible at http://localhost:8080/images/hello.jpg without having to log in. You can see this in action in the web method security smoke test where access is permitted to the Bootstrap CSS file without any special configuration.
这篇关于在 Spring Boot & 中提供静态 Web 资源Spring 安全应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
