为什么在 Spring Boot 中使用具有第一优先级的 httpbasic 配置时,具有第二优先级的 formlogin 不起作用? [英] Why is formlogin with second precedence not working when configured with httpbasic with first precedence in spring boot?
本文介绍了为什么在 Spring Boot 中使用具有第一优先级的 httpbasic 配置时,具有第二优先级的 formlogin 不起作用?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个公开api"服务和web"页面的应用程序.所以,我已经根据 Spring 的文档(以及其他各种 SO 帖子)配置了 httpbasic 和 formlogin
I have an application that exposes "api" services and "web" pages. So, I've configured httpbasic and formlogin as per Spring's documentation (and from various other SO posts)
- http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity
- Spring Security HTTP Basic forWeb 的 RESTFul 和 FormLogin (Cookie) - 注释
下面是我的自定义网络安全配置器代码
Below is my custom web security configurer code
@EnableWebSecurity
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {
private final Logger log = LoggerFactory.getLogger(this.getClass());
@Autowired
private MyAuthenticationProvider myAuthenticationProvider;
@Autowired
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(myAuthenticationProvider);
}
@Configuration
@Order(1)
public static class BasicAuthentication extends WebSecurityConfigurerAdapter{
private final Logger log = LoggerFactory.getLogger(this.getClass());
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/myapp/api/**").authenticated()
.and() // Permit access for all to login REST service
.httpBasic()
.authenticationEntryPoint(new MyAuthenticationFailurePoint());
}
}
@Configuration
@Order(2)
public static class FormAuthentication extends WebSecurityConfigurerAdapter{
private final Logger log = LoggerFactory.getLogger(this.getClass());
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/myapp/web/**").authenticated()
.and()
.formLogin()
.loginPage("/myapp/web/login")
.permitAll()
.and()
.logout()
.logoutUrl("/myapp/web/logout")
.permitAll();
}
}
}
使用此代码,当我使用 (GET) "http://localhost:8083/myapp/api/getIds" 时,逻辑按预期工作,并调用我的自定义身份验证提供程序.请在下面找到日志供您参考
With this code, when I consume (GET) "http:/ /localhost:8083/myapp/api/getIds", the logic works as expected and my custom authentication provider gets called. Please find below the logs for your reference
[DEBUG] 2016-12-21 04:36:08.878 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
[DEBUG] 2016-12-21 04:36:08.904 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[DEBUG] 2016-12-21 04:36:08.928 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
[DEBUG] 2016-12-21 04:36:08.928 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
[DEBUG] 2016-12-21 04:36:09.029 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
[DEBUG] 2016-12-21 04:36:09.030 org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@3b41e91a
[DEBUG] 2016-12-21 04:36:09.030 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
[DEBUG] 2016-12-21 04:36:09.030 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/api/getids'; against '/logout'
[DEBUG] 2016-12-21 04:36:09.030 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
[DEBUG] 2016-12-21 04:36:09.089 org.springframework.security.web.authentication.www.BasicAuthenticationFilter - Basic Authentication Authorization header found for user 'testuser'
[DEBUG] 2016-12-21 04:36:09.166 org.springframework.security.authentication.ProviderManager - Authentication attempt using com.myapp.inf.authenticator.MyAuthenticationProvider
[TRACE] 2016-12-21 04:36:33.498 org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext - Publishing event in org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@13330ac6: org.springframework.security.authentication.event.AuthenticationSuccessEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities]
[DEBUG] 2016-12-21 04:36:33.498 org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
[DEBUG] 2016-12-21 04:36:33.499 org.springframework.security.web.authentication.www.BasicAuthenticationFilter - Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities
[DEBUG] 2016-12-21 04:36:33.499 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[DEBUG] 2016-12-21 04:36:33.499 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[DEBUG] 2016-12-21 04:36:33.551 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[DEBUG] 2016-12-21 04:36:33.551 org.springframework.security.web.authentication.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities'
[DEBUG] 2016-12-21 04:36:33.551 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
[DEBUG] 2016-12-21 04:36:33.551 org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@46bf4560
[DEBUG] 2016-12-21 04:36:33.583 org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession being created as SecurityContext is non-default
[DEBUG] 2016-12-21 04:36:33.835 org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@fa787cf9: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade@2c175127
[DEBUG] 2016-12-21 04:36:33.835 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[DEBUG] 2016-12-21 04:36:33.835 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[DEBUG] 2016-12-21 04:36:33.860 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/api/getids'; against '/myapp/api/**'
[DEBUG] 2016-12-21 04:36:33.860 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /myapp/api/getIds; Attributes: [authenticated]
[DEBUG] 2016-12-21 04:36:33.860 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities
[DEBUG] 2016-12-21 04:36:34.082 org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5169d120, returned: 1
[DEBUG] 2016-12-21 04:36:34.082 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Authorization successful
[DEBUG] 2016-12-21 04:36:34.082 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - RunAsManager did not change Authentication object
[DEBUG] 2016-12-21 04:36:34.083 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds reached end of additional filter chain; proceeding with original chain
现在,当我(从浏览器)点击http://localhost:8083/myapp/web/MainConsole"时,我没有收到登录页面的提示.请在下面找到此命中的日志.它们表明弹簧靴正在为此命中使用httpbasic"配置
Now, when I hit (from browser) "http:/ /localhost:8083/myapp/web/MainConsole", I'm not being prompted for a login page. Please find below the logs for this hit. They indicate that spring boot is using "httpbasic" config for this hit
[DEBUG] 2016-12-21 04:41:30.179 [http-nio-8083-exec-3] org.springframework.boot.context.web.OrderedRequestContextFilter - Bound request context to thread: org.apache.catalina.connector.RequestFacade@26ff703a
[DEBUG] 2016-12-21 04:41:30.179 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
[DEBUG] 2016-12-21 04:41:30.179 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@3b41e91a
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/web/mainconsole'; against '/logout'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[DEBUG] 2016-12-21 04:41:30.188 [http-nio-8083-exec-3] org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
[DEBUG] 2016-12-21 04:41:30.188 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
[DEBUG] 2016-12-21 04:41:30.188 [http-nio-8083-exec-3] org.springframework.security.web.session.SessionManagementFilter - Requested session ID 2E28DB9D6699424055855E4F28D7AF9A is invalid.
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/web/mainconsole'; against '/myapp/api/**'
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Public object - authentication not attempted
[TRACE] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext - Publishing event in org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@13330ac6: org.springframework.security.access.event.PublicInvocationEvent[source=FilterInvocation: URL: /myapp/web/MainConsole]
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
[DEBUG] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole reached end of additional filter chain; proceeding with original chain
[TRACE] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Bound request context to thread: SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.context.HttpSessionSecurityContextRepository$Servlet3SaveToSessionRequestWrapper@1274a368]
[DEBUG] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'dispatcherServlet' processing GET request for [/myapp/web/MainConsole]
[TRACE] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Testing handler map [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping@219e6d9f] in DispatcherServlet with name 'dispatcherServlet'
[TRACE] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - No handler mapping found for [/myapp/web/MainConsole]
[TRACE] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Testing handler map [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping@5afb11fb] in DispatcherServlet with name 'dispatcherServlet'
[DEBUG] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Looking up handler method for path /myapp/web/MainConsole
[TRACE] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Found 1 matching mapping(s) for [/myapp/web/MainConsole] : [{[/myapp/web/MainConsole]}]
[DEBUG] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Returning handler method [public java.lang.String com.myapp.core.controllers.web.MainConsole.showMainConsole()]
[DEBUG] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'mainConsole'
[TRACE] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Testing handler adapter [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter@718cb880]
[DEBUG] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Last-Modified value for [/myapp/web/MainConsole] is: -1
[TRACE] 2016-12-21 04:41:30.193 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod - Invoking [MainConsole.showMainConsole] method with arguments []
[TRACE] 2016-12-21 04:41:30.194 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod - Method [showMainConsole] returned [home]
[DEBUG] 2016-12-21 04:41:30.230 [http-nio-8083-exec-3] org.springframework.web.servlet.view.ContentNegotiatingViewResolver - Requested media types are [text/html, application/xhtml+xml, image/webp, application/xml;q=0.9, */*;q=0.8] based on Accept header types and producible media types [*/*])
[DEBUG] 2016-12-21 04:41:30.230 [http-nio-8083-exec-3] org.springframework.web.servlet.view.BeanNameViewResolver - No matching bean found for view name 'home'
然后,我交换了httpbasic"和formlogin"的顺序,重新执行了http:///localhost:8083/myapp/web/MainConsole".现在,正确的过滤器 - UsernamePasswordAuthenticationFilter - 被调用.但是,api"点击现在不起作用.
Then, I swaped the order on "httpbasic" and "formlogin" and re-executed "http:/ /localhost:8083/myapp/web/MainConsole". Now, the correct filter - UsernamePasswordAuthenticationFilter - gets called. BUt, the "api" hits aren't working now.
[DEBUG] 2016-12-21 04:52:56.357 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
[DEBUG] 2016-12-21 04:52:56.383 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[DEBUG] 2016-12-21 04:52:56.409 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
[DEBUG] 2016-12-21 04:52:56.410 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
[DEBUG] 2016-12-21 04:52:56.514 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
[DEBUG] 2016-12-21 04:52:56.515 org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@32c4de26
[DEBUG] 2016-12-21 04:52:56.515 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /myapp/web/mainconsole' doesn't match 'POST /myapp/logout
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /myapp/web/mainconsole' doesn't match 'POST /myapp/login
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[DEBUG] 2016-12-21 04:52:56.568 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[DEBUG] 2016-12-21 04:52:56.623 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[DEBUG] 2016-12-21 04:52:56.702 org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
[DEBUG] 2016-12-21 04:52:56.703 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
[DEBUG] 2016-12-21 04:52:56.703 org.springframework.security.web.session.SessionManagementFilter - Requested session ID 2E28DB9D6699424055855E4F28D7AF9A is invalid.
[DEBUG] 2016-12-21 04:52:56.703 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[DEBUG] 2016-12-21 04:52:56.703 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[DEBUG] 2016-12-21 04:52:56.728 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /myapp/web/mainconsole' doesn't match 'POST /myapp/logout
[DEBUG] 2016-12-21 04:52:56.728 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/web/mainconsole'; against '/myapp/web/**'
[DEBUG] 2016-12-21 04:52:56.729 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /myapp/web/MainConsole; Attributes: [authenticated]
[DEBUG] 2016-12-21 04:52:56.729 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
[DEBUG] 2016-12-21 04:52:56.930 org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@9d78e5c, returned: -1
[TRACE] 2016-12-21 04:52:56.931 org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext - Publishing event in org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@13330ac6: org.springframework.security.access.event.AuthorizationFailureEvent[source=FilterInvocation: URL: /myapp/web/MainConsole]
[DEBUG] 2016-12-21 04:52:56.931 org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
[DEBUG] 2016-12-21 04:52:56.932 org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
为什么 httpsbasic 总是优先,而不管与 formlogin 匹配的 URL 模式如何?
Why is httpsbasic is ALWAYS taking first precedence, regardless of a URL pattern that matches for formlogin?
推荐答案
因为你设置了 api order 为 1,所以它会一直在 API 过滤器链中.将 api 配置更改为这个.这将首先匹配请求路径.
Because you set the api order to 1, so it will always in API filter chain.Change the api config to this. This will match the request path first.
http.antMatcher("/myapp/api/**")
.csrf().disable().authorizeRequests()
.antMatchers("/**").authenticated().and() // Permit access for all to login REST service
.httpBasic()
.authenticationEntryPoint(new MyAuthenticationFailurePoint());
这篇关于为什么在 Spring Boot 中使用具有第一优先级的 httpbasic 配置时,具有第二优先级的 formlogin 不起作用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
