Spring Boot/h2-console 使用 Spring Security 1.5.2 抛出 403 [英] Spring Boot /h2-console throws 403 with Spring Security 1.5.2
问题描述
我们最近从 Spring Boot 1.4.1 升级到 1.5.2.1.5.2 的特性之一是,如果 Spring Security 是包的一部分,那么它会受到基本身份验证的保护.即使在基本身份验证之后,我也无法访问 /h2-console
.它抛出 403 禁止.
We recently upgraded from Spring Boot 1.4.1 to 1.5.2. One of the features of 1.5.2 is that if Spring Security is part of the package then it is protected by basic auth. I am unable to access the /h2-console
even after basic auth. It throws 403 forbidden.
application.yml
:
spring:
datasource:
driver-class-name: org.h2.Driver
url: jdbc:h2:file:../app-db/app_db;AUTO_SERVER=TRUE
username: sa
password: sa
initialize: false
jpa:
hibernate:
ddl-auto: validate
show-sql: true
database-platform: org.hibernate.dialect.H2Dialect
h2:
console:
enabled: true
settings:
web-allow-others: true
allowed:
resources: /h2-console/**
我什至明确允许 /h2-console/**
httpSecurity.authorizeRequests()
.antMatchers(allowedResources)
.permitAll()
我在尝试访问 localhost:8080/h2-console
时不断收到 403.我尝试了很多设置以及放置:
I keep getting 403 when trying to access localhost:8080/h2-console
.
I tried many settings as well as putting:
management.security.enabled=true
security.basic.enabled=true
但是我无法访问 h2-console.
But I am unable to access the h2-console.
推荐答案
我启用了调试日志并看到了这个:
I enabled debug logging and saw this:
o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /h2-console/; Attributes: [hasAnyRole('ROLE_USER','ROLE_ACTUATOR')]
2017-05-05 13:16:09.304 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@33d2af72: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@7371d5f4: Dn: cn=XYZ,ou=XYZ,ou=Active,ou=ABC_USERS,dc=internal,dc=organization,dc=com; Username: uname; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 86EF50EF548ED4DBCE4D661AEC93F88C; Granted Authorities: ROLE_ADMIN
2017-05-05 13:16:09.305 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@51d3d69, returned: -1
2017-05-05 13:16:09.305 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is not anonymous); delegating to AccessDeniedHandler
我意识到我的用户没有 ROLE_USER
.我假设 ROLE_ADMIN
> ROLE_USER
但我仍然需要更好地理解这一点.
I realize that my user does not have the ROLE_USER
. I was assuming ROLE_ADMIN
> ROLE_USER
but I still need to understand this a little better.
我将设置更新为:
security:
basic:
enabled: true
authorize-mode: NONE
我现在可以访问 /h2-console/**
.
这篇关于Spring Boot/h2-console 使用 Spring Security 1.5.2 抛出 403的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!