Spring Boot/h2-console 使用 Spring Security 1.5.2 抛出 403 [英] Spring Boot /h2-console throws 403 with Spring Security 1.5.2

问题描述

我们最近从 Spring Boot 1.4.1 升级到 1.5.2.1.5.2 的特性之一是，如果 Spring Security 是包的一部分，那么它会受到基本身份验证的保护.即使在基本身份验证之后，我也无法访问 /h2-console.它抛出 403 禁止.

We recently upgraded from Spring Boot 1.4.1 to 1.5.2. One of the features of 1.5.2 is that if Spring Security is part of the package then it is protected by basic auth. I am unable to access the /h2-console even after basic auth. It throws 403 forbidden.

application.yml:

spring:
  datasource:
    driver-class-name: org.h2.Driver
    url: jdbc:h2:file:../app-db/app_db;AUTO_SERVER=TRUE
    username: sa
    password: sa
    initialize: false
  jpa:
    hibernate:
      ddl-auto: validate
    show-sql: true
    database-platform: org.hibernate.dialect.H2Dialect
  h2:
    console:
      enabled: true
      settings:
        web-allow-others: true
  allowed:
    resources: /h2-console/**

我什至明确允许 /h2-console/**

 httpSecurity.authorizeRequests()
                .antMatchers(allowedResources)                  
                .permitAll()

我在尝试访问 localhost:8080/h2-console 时不断收到 403.我尝试了很多设置以及放置:

I keep getting 403 when trying to access localhost:8080/h2-console. I tried many settings as well as putting:

management.security.enabled=true
security.basic.enabled=true

但是我无法访问 h2-console.

But I am unable to access the h2-console.

推荐答案

我启用了调试日志并看到了这个:

I enabled debug logging and saw this:

o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /h2-console/; Attributes: [hasAnyRole('ROLE_USER','ROLE_ACTUATOR')]
2017-05-05 13:16:09.304 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@33d2af72: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@7371d5f4: Dn: cn=XYZ,ou=XYZ,ou=Active,ou=ABC_USERS,dc=internal,dc=organization,dc=com; Username: uname; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 86EF50EF548ED4DBCE4D661AEC93F88C; Granted Authorities: ROLE_ADMIN
2017-05-05 13:16:09.305 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@51d3d69, returned: -1
2017-05-05 13:16:09.305 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.w.a.ExceptionTranslationFilter     : Access is denied (user is not anonymous); delegating to AccessDeniedHandler

我意识到我的用户没有 ROLE_USER.我假设 ROLE_ADMIN > ROLE_USER 但我仍然需要更好地理解这一点.

I realize that my user does not have the ROLE_USER. I was assuming ROLE_ADMIN > ROLE_USER but I still need to understand this a little better.

我将设置更新为:

security:
  basic:
    enabled: true
    authorize-mode: NONE

我现在可以访问 /h2-console/**.

这篇关于Spring Boot/h2-console 使用 Spring Security 1.5.2 抛出 403的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！