/api-url 在 Spring Boot Security 中有一个空的过滤器列表 [英] /api-url has an empty filter list in Spring Boot Security
问题描述
具有 REST 服务的 Spring Boot 应用程序必须允许公共访问某些服务,同时将其他服务限制为仅允许授权用户访问.当一个 configure(WebSecurity web)
方法被添加到 SecurityConfig
类中时,如下所示,一个 403 错误
被发送到用户的网络浏览器,并且 Spring Boot 日志文件给出了一个错误说明:
A Spring Boot app with REST services has to allow public access to certain services, while restricting other services to only authorized users. When a configure(WebSecurity web)
method is added to the SecurityConfig
class as shown below, a 403 error
is sent to the user's web browser, and the Spring Boot log files give an error stating that:
/registration-form has an empty filter list
需要对以下代码进行哪些具体更改才能使 /registration-form
服务成功提供给任何用户,包括匿名/未经身份验证的用户?强>
What specific changes need to be made to the code below to get the /registration-form
service to be successfully served up to any user, including anonymous/un-authenticated users?
这是 SecurityConfig
类:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers("/registration-form");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.and()
.httpBasic().and()
.authorizeRequests()
.antMatchers("/login1").permitAll()
.antMatchers("/login2").permitAll()
.anyRequest().authenticated();
}
}
这里是完整的日志:
2016-04-07 16:42:18.548 INFO 8937 --- [nio-8001-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet'
2016-04-07 16:42:18.548 INFO 8937 --- [nio-8001-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started
2016-04-07 16:42:18.656 INFO 8937 --- [nio-8001-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 108 ms
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/css/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/js/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/images/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/**/favicon.ico'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/error'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/registration-form'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.security.web.FilterChainProxy : /registration-form has an empty filter list
在pom.xml
中,对安全的唯一引用如下:
In pom.xml
, the only reference to security is the following:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
我在 pom.xml
中四处寻找版本号,我能找到的最接近的是:
I looked around for a version number in pom.xml
, and the closest thing I could find was:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.3.0.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<小时>
正在进行的研究:
1.) 这篇另一篇文章很好地解释了 之间的区别WebSecurity
和 HttpSecurity
,从而解释了为什么我在上面显示的代码中同时包含 WebSecurity
和 HttpSecurity
.
1.) This other post gives a good explanation of the difference between WebSecurity
and HttpSecurity
, and thus explains why I included both WebSecurity
and HttpSecurity
in my code shown above.
2.) 这篇 2012 年的帖子描述了类似的错误和解决方案,但通常使用 xml 配置
专注于旧版本的 Spring Security,而不是特定于带有 Java 配置
的 Spring Boot.
2.) This 2012 post describes a similar error and solution, but is focused on an old version of Spring Security in general using xml configuration
, and is not specific to Spring Boot with Java Configuration
.
3.) 这个博客条目解释了像 web.xml
这样的旧 xml 配置文件在 Spring Boot 中大部分被新的 application.properties
文件替换.因此,我不确定当前问题的解决方案是添加一些 application.properties
,还是为 Spring Security 添加一些 Java 配置.
3.) This blog entry explains that old xml config files like web.xml
are largely replaced by the new application.properties
file in Spring Boot. I am therefore not sure whether the solution to the present problem is in adding something application.properties
, or adding some Java Config for Spring Security.
4.) 这个博客entry 描述了使用 @Bean
注释注入一个 ServletContextInitializer
bean,该 bean 将过滤器添加到由 @RequestMapping
Spring Boot Controller 类中的注解.该示例是一个多部分文件过滤器,但我想知道是否可以使用这种方法添加适当的过滤器来解决当前的 OP 错误消息.
4.) This blog entry describes using the @Bean
annotation to inject a ServletContextInitializer
bean which adds a filter to an end point that was described by @RequestMapping
annotation in a Spring Boot Controller class. The example is a multi-part file filter, but I wonder if this approach could be used to add an appropriate filter to resolve the current OP error message.
5.) 这篇 2014 年的帖子描述了两种自定义行为的方法Spring Boot 中的 ServletContextInitializer
.一种方法是让 Application.java
类扩展 SpringBootServletInitializer
然后覆盖 configure()
和 onStartup()
> 方法.显示的另一种方法是使用 server
命名空间向 application.properties
文件添加行.在此链接,但我无法确定要设置哪些属性来解决当前 OP 定义的问题.
5.) This 2014 posting describes two approaches to customizing the behavior of a ServletContextInitializer
in Spring Boot. One approach is to have the Application.java
class extend SpringBootServletInitializer
and then override the configure()
and onStartup()
methods. The other approach shown is to add lines to the application.properties
file using the server
namespace. A list of common properties that can be set in application.properties
is given at this link, but I could not determine which properties to set to resolve the problem defined by the current OP.
6.) @DaveSyer 对这个相关问题的回答 建议在 application.properties
中设置 endpoints.info.sensitive=true
以打开所有端点.这让我找到 Spring 关于端点的文档页面,建议在 application.properties
中设置 endpoints.name.sensitive=false
,其中 name
是被改变的端点的名称.但是在application.properties
中设置endpoints.api-url.sensitive=false
并不能解决问题,eclipse 给出了一个警告,endpoints.api-url.敏感=假是一个未知的属性
.我是否必须在其他地方定义属性映射,或者添加 /
以使其成为 endpoints./api-url.sensitive=false
?如何获得用于 /api-url
端点的正确名称,这是解决此问题的正确方法吗?
6.) @DaveSyer's answer to this related question suggests setting endpoints.info.sensitive=true
in application.properties
to make ALL endpoints open. This got me to find this documentation page from Spring about endpoints, which suggests setting the endpoints.name.sensitive=false
in application.properties
, where name
is the name of the end point being altered. But setting endpoints.api-url.sensitive=false
in application.properties
does not resolve the problem, and eclipse gives a warning that endpoints.api-url.sensitive=false is an unknown property
. Do I have to define the property mapping somewhere else, or perhaps add the /
to make it endpoints./api-url.sensitive=false
? How can I get the correct name to use for the /api-url
endpoint, and is this the correct approach to solving this problem?
7.) 我阅读了这篇其他帖子,并使用其示例在 Spring Boot 应用程序的主 Application
类中创建了一个 Filter Registration Bean
,但调试日志仍然显示相同的消息,表明 /api-url 有一个空的过滤器列表
.这是我添加到 Application
类的代码:
7.) I read this other posting, and used its example to create a Filter Registration Bean
inside the main Application
class of the Spring Boot app, but the debug logs still show the same message indicating that the /api-url has an empty filter list
. Here is the code that I added to the Application
class:
@Bean
public FilterRegistrationBean shallowEtagHeaderFilter() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(new ShallowEtagHeaderFilter());
registration.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
registration.addUrlPatterns("/api-url");
return registration;
}
本研究可能采用的方法包括:
The possible approaches from this research include:
1.) adding something to `application.properties`
2.) adding `@Bean` annotation to inject a `ServletContextInitializer`
3.) adding some Spring Security config using Java Configuration.
4.) having Application.java extend SpringBootServletInitializer and
then overriding methods.
5.) adding @Bean annotation to add a filter registration bean
推荐答案
我认为您所做的是使/error 视图成为受保护的资源.要么打开它,要么停止使用 @EnableWebSecurity
(它会关闭一些 Spring Boot 本来会为你做的事情).
I think what you have done is made the /error view a protected resource. Either open it up or stop using @EnableWebSecurity
(it switches off some stuff that spring boot would have done for you otherwise).
这篇关于/api-url 在 Spring Boot Security 中有一个空的过滤器列表的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!