无法在 Spring Security 中加载静态内容 [英] Unable to load static content in spring security
问题描述
我从这个来源构建了一个基本的 spring 身份验证服务:
这是我的 mvcConfig 代码:
包你好;导入 org.springframework.context.annotation.Configuration;导入 org.springframework.web.servlet.config.annotation.ViewControllerRegistry;导入 org.springframework.web.servlet.config.annotation.WebMvcConfigurer;导入 org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;@配置公共类 MvcConfig 实现了 WebMvcConfigurer {public void addViewControllers(ViewControllerRegistry 注册表) {registry.addViewController("/home").setViewName("home");registry.addViewController("/").setViewName("home");registry.addViewController("/hello").setViewName("重定向:http://localhost:3000/home.html");registry.addViewController("/login").setViewName("login");}@覆盖public void addResourceHandlers(ResourceHandlerRegistry registry) {if (!registry.hasMappingForPattern("/webjars/**")) {registry.addResourceHandler("/webjars/**").addResourceLocations("classpath:/META-INF/resources/webjars/");}if (!registry.hasMappingForPattern("/**")) {registry.addResourceHandler("/**").addResourceLocations("classpath:/META-INF/resources/", "classpath:/resources/","classpath:/static/", "classpath:/public/");}registry.addResourceHandler("/resources/**").addResourceLocations("/resources/");}}
WebSecurityConfig 代码:
包你好;导入 org.springframework.context.annotation.Bean;导入 org.springframework.context.annotation.Configuration;导入 org.springframework.security.config.annotation.web.builders.HttpSecurity;导入 org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;导入 org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;导入 org.springframework.security.core.userdetails.User;导入 org.springframework.security.core.userdetails.UserDetails;导入 org.springframework.security.core.userdetails.UserDetailsService;导入 org.springframework.security.provisioning.InMemoryUserDetailsManager;@配置@启用网络安全公共类 WebSecurityConfig 扩展了 WebSecurityConfigurerAdapter {@覆盖protected void configure(HttpSecurity http) 抛出异常 {http.authorizeRequests().antMatchers("/", "/home","/resources/**").permitAll().anyRequest().authenticated().and().formLogin().loginPage("/登录").permitAll().and().注销().permitAll();}@豆@覆盖公共 UserDetailsService userDetailsService() {用户详细信息用户 =User.withDefaultPasswordEncoder().username("用户").password("密码").roles("用户").build();返回新的 InMemoryUserDetailsManager(user);}
}
在 WebSecurityConfig
类中,您将 permitAll 设置为仅 '/'
, '/home'
和 '/resources/**'
.匿名用户无需安全检查即可访问这三个端点.
对于 test.js
文件,src 指向当前 url 中的 test.js
.因此,当您在 localhost 上运行它时,浏览器会尝试将 test.js
查找为 http://localhost:{port}/{current-page-url}/test.js代码>
例如,如果页面位于 /home
下,则浏览器调用 http://localhost:8080/home/test.js
,但正如您在WebSecurityConfig
除了 /home
本身之外的任何调用都将被 Spring Security 阻止.(/home
和 /home/**
不一样)
所以你需要做的是将src url改为<script src="/resources/test.js"></script>
因为下的任何东西/resources/**
端点可以被任何人访问,并且它已经在 MvcConfig
registry.addResourceHandler("/resources/**").addResourceLocations("classpath:/");
希望这有帮助!快乐编码:)
添加:
此外,在 标签中,您应该将
type
属性更改为 text/javascript
或者您可以删除该属性它会起作用.
I have built a basic spring authentication service from this source: https://spring.io/guides/gs/securing-web/
Tried to include JS files from Local folders using almost all solutions on stackoverflow but I couldn't. When the html page loads, it says:
"Uncaught ReferenceError: myFunction is not defined"
Here is my home.html script:
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
<head>
<title>Spring Security Example</title>
<script type="javascript" src="test.js"></script>
</head>
<body onload="myFunction()">
<h1>Welcome!</h1>
<p>Click <a href="/hello">here</a> to see a greeting.</p>
</body>
</html>
Here is where my js file is located and htmls are placed in templates folder.
here is my mvcConfig code:
package hello;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
@Configuration
public class MvcConfig implements WebMvcConfigurer {
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/home").setViewName("home");
registry.addViewController("/").setViewName("home");
registry.addViewController("/hello").setViewName("redirect:http://localhost:3000/home.html");
registry.addViewController("/login").setViewName("login");
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
if (!registry.hasMappingForPattern("/webjars/**")) {
registry.addResourceHandler("/webjars/**").addResourceLocations(
"classpath:/META-INF/resources/webjars/");
}
if (!registry.hasMappingForPattern("/**")) {
registry.addResourceHandler("/**").addResourceLocations("classpath:/META-INF/resources/", "classpath:/resources/","classpath:/static/", "classpath:/public/");
}
registry.addResourceHandler("/resources/**")
.addResourceLocations("/resources/");
}
}
WebSecurityConfig code:
package hello;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home","/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
@Bean
@Override
public UserDetailsService userDetailsService() {
UserDetails user =
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}
In the WebSecurityConfig
class you set permitAll to only '/'
, '/home'
, and '/resources/**'
. An anonymous user can access these three endpoints without security check.
For test.js
file, the src points to test.js
in the current url. So when you run it on localhost, the browser tries to find the test.js
as http://localhost:{port}/{current-page-url}/test.js
For example, if the page is under /home
then the browser calls http://localhost:8080/home/test.js
, but as you defined in the WebSecurityConfig
any call except /home
itself will be blocked by Spring Security. (/home
is not the same as /home/**
)
So what you need to do is to change the src url to <script src="/resources/test.js"></script>
Because anything under the /resources/**
endpoint can be accessed by anyone and it is already registered in the resourceHandler configuration in the MvcConfig
registry.addResourceHandler("/resources/**")
.addResourceLocations("classpath:/");
Hope this helps! Happy Coding :)
ADD :
Also the in the <script>
tag you should change the type
attribute to text/javascript
or you can just remove the attribute and it will work.
这篇关于无法在 Spring Security 中加载静态内容的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!