Spring Security 不断将我重定向到登录页面 [英] Spring Security keeps redirecting me to login page

问题描述

我在地址栏中输入的任何链接都会将我重定向到登录页面.我怎样才能防止这种情况?

What ever link I type in the address bar it keeps redirecting me to the login page. How can I prevent that?

例如，如果我添加 http://localhost:8080/asdasdsa > 它会将我重定向到http://localhost:8080/account/login，所以如果我在 http://localhost:8080/ 我将被重定向到帐户/登录视图.

For example if i add http://localhost:8080/asdasdsa > it will redirect me to http://localhost:8080/account/login, so if i add anything after http://localhost:8080/ i will be redirected to account/login view.

我的安全配置:

package com.example.configuration;

import javax.sql.DataSource;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private BCryptPasswordEncoder bCryptPasswordEncoder;

    @Autowired
    private DataSource dataSource;

    @Value("${spring.queries.users-query}")
    private String usersQuery;

    @Value("${spring.queries.roles-query}")
    private String rolesQuery;

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth
            .jdbcAuthentication()
                .usersByUsernameQuery(usersQuery)
                .authoritiesByUsernameQuery(rolesQuery)
                .dataSource(dataSource)
                .passwordEncoder(bCryptPasswordEncoder);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
            .authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/index").permitAll()
                .antMatchers("/other/other").permitAll()
                .antMatchers("/account/login").permitAll()
                .antMatchers("/account/registration").permitAll()
                .antMatchers("/account/admin/**").hasAuthority("ADMIN")
                .anyRequest().authenticated()
                .and()
            .csrf().disable()
            .formLogin()
                .loginPage("/account/login")
                .failureUrl("/account/login?error=true")
                .defaultSuccessUrl("/account/admin/")
                .usernameParameter("email")
                .passwordParameter("password")
                .and()
            .logout().permitAll()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/")
                .and()
            .exceptionHandling()
                .accessDeniedPage("/access-denied");
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
           .ignoring()
               .antMatchers("/resources/**", "/static/**", "/css/**", "/js/**", "/images/**", "/img/**");
    }
}

推荐答案

您配置了所有其他 URL 都必须经过身份验证，请参阅 Spring 安全参考:

You configured that all other URLs must be authenticated, see Spring Security Reference:

授权请求

我们的示例只要求对用户进行身份验证，并且对我们应用程序中的每个 URL 都进行了验证.我们可以通过向 http.authorizeRequests() 方法添加多个子项来为我们的 URL 指定自定义要求.例如:

Our examples have only required users to be authenticated and have done so for every URL in our application. We can specify custom requirements for our URLs by adding multiple children to our http.authorizeRequests() method. For example:

protected void configure(HttpSecurity http) throws Exception {
  http
      .authorizeRequests()                                                          1
          .antMatchers("/resources/**", "/signup", "/about").permitAll()            2
          .antMatchers("/admin/**").hasRole("ADMIN")                                3
          .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")      4
          .anyRequest().authenticated()                                             5
          .and()
      // ...
      .formLogin();
}

1http.authorizeRequests() 方法有多个子项，每个匹配器都按照它们的声明顺序进行考虑.

1 There are multiple children to the http.authorizeRequests() method each matcher is considered in the order they were declared.

2我们指定了任何用户都可以访问的多个 URL 模式.具体来说，如果 URL 以/resources/"开头、等于/signup"或等于/about"，则任何用户都可以访问请求.

2 We specified multiple URL patterns that any user can access. Specifically, any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about".

3任何以/admin/"开头的 URL 将被限制为具有ROLE_ADMIN"角色的用户.您会注意到，由于我们正在调用 hasRole 方法，因此不需要指定ROLE_"前缀.

3 Any URL that starts with "/admin/" will be restricted to users who have the role "ROLE_ADMIN". You will notice that since we are invoking the hasRole method we do not need to specify the "ROLE_" prefix.

4任何以/db/"开头的 URL 都要求用户同时拥有ROLE_ADMIN"和ROLE_DBA".您会注意到，由于我们使用了 hasRole 表达式，因此不需要指定ROLE_"前缀.

4 Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA". You will notice that since we are using the hasRole expression we do not need to specify the "ROLE_" prefix.

5任何尚未匹配的 URL 只需要对用户进行身份验证

5 Any URL that has not already been matched on only requires that the user be authenticated

这篇关于Spring Security 不断将我重定向到登录页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！