/api-url 在 Spring Boot Security 中有一个空的过滤器列表 [英] /api-url has an empty filter list in Spring Boot Security

问题描述

具有 REST 服务的 Spring Boot 应用程序必须允许公共访问某些服务，同时将其他服务限制为仅允许授权用户访问.当一个 configure(WebSecurity web) 方法被添加到 SecurityConfig 类中时，如下所示，一个 403 错误 被发送到用户的网络浏览器，并且 Spring Boot 日志文件给出了一个错误说明:

A Spring Boot app with REST services has to allow public access to certain services, while restricting other services to only authorized users. When a configure(WebSecurity web) method is added to the SecurityConfig class as shown below, a 403 error is sent to the user's web browser, and the Spring Boot log files give an error stating that:

/registration-form has an empty filter list  

需要对以下代码进行哪些具体更改才能使 /registration-form 服务成功提供给任何用户，包括匿名/未经身份验证的用户?

What specific changes need to be made to the code below to get the /registration-form service to be successfully served up to any user, including anonymous/un-authenticated users?

这是 SecurityConfig 类:

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers("/registration-form");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .formLogin()
                .and()
            .httpBasic().and()
            .authorizeRequests()
                .antMatchers("/login1").permitAll()
                .antMatchers("/login2").permitAll()
                .anyRequest().authenticated();
    }
}

这里是完整的日志:

2016-04-07 16:42:18.548  INFO 8937 --- [nio-8001-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring FrameworkServlet 'dispatcherServlet'
2016-04-07 16:42:18.548  INFO 8937 --- [nio-8001-exec-1] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization started
2016-04-07 16:42:18.656  INFO 8937 --- [nio-8001-exec-1] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization completed in 108 ms
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/registration-form'; against '/css/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/registration-form'; against '/js/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/registration-form'; against '/images/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/registration-form'; against '/**/favicon.ico'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/registration-form'; against '/error'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/registration-form'; against '/registration-form'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.security.web.FilterChainProxy        : /registration-form has an empty filter list

在pom.xml中，对安全的唯一引用如下:

In pom.xml, the only reference to security is the following:

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

我在 pom.xml 中四处寻找版本号，我能找到的最接近的是:

I looked around for a version number in pom.xml, and the closest thing I could find was:

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>1.3.0.RELEASE</version>
    <relativePath /> <!-- lookup parent from repository -->
</parent>

<小时>

正在进行的研究:

1.) 这篇另一篇文章很好地解释了 之间的区别WebSecurity 和 HttpSecurity，从而解释了为什么我在上面显示的代码中同时包含 WebSecurity 和 HttpSecurity.

1.) This other post gives a good explanation of the difference between WebSecurity and HttpSecurity, and thus explains why I included both WebSecurity and HttpSecurity in my code shown above.

2.) 这篇 2012 年的帖子描述了类似的错误和解决方案，但通常使用 xml 配置 专注于旧版本的 Spring Security，而不是特定于带有 Java 配置 的 Spring Boot.

2.) This 2012 post describes a similar error and solution, but is focused on an old version of Spring Security in general using xml configuration, and is not specific to Spring Boot with Java Configuration.

3.) 这个博客条目解释了像 web.xml 这样的旧 xml 配置文件在 Spring Boot 中大部分被新的 application.properties 文件替换.因此，我不确定当前问题的解决方案是添加一些 application.properties，还是为 Spring Security 添加一些 Java 配置.

3.) This blog entry explains that old xml config files like web.xml are largely replaced by the new application.properties file in Spring Boot. I am therefore not sure whether the solution to the present problem is in adding something application.properties, or adding some Java Config for Spring Security.

4.) 这个博客entry 描述了使用 @Bean 注释注入一个 ServletContextInitializer bean，该 bean 将过滤器添加到由 @RequestMapping Spring Boot Controller 类中的注解.该示例是一个多部分文件过滤器，但我想知道是否可以使用这种方法添加适当的过滤器来解决当前的 OP 错误消息.

4.) This blog entry describes using the @Bean annotation to inject a ServletContextInitializer bean which adds a filter to an end point that was described by @RequestMapping annotation in a Spring Boot Controller class. The example is a multi-part file filter, but I wonder if this approach could be used to add an appropriate filter to resolve the current OP error message.

5.) 这篇 2014 年的帖子描述了两种自定义行为的方法Spring Boot 中的 ServletContextInitializer .一种方法是让 Application.java 类扩展 SpringBootServletInitializer 然后覆盖 configure() 和 onStartup()> 方法.显示的另一种方法是使用 server 命名空间向 application.properties 文件添加行.在此链接，但我无法确定要设置哪些属性来解决当前 OP 定义的问题.

5.) This 2014 posting describes two approaches to customizing the behavior of a ServletContextInitializer in Spring Boot. One approach is to have the Application.java class extend SpringBootServletInitializer and then override the configure() and onStartup() methods. The other approach shown is to add lines to the application.properties file using the server namespace. A list of common properties that can be set in application.properties is given at this link, but I could not determine which properties to set to resolve the problem defined by the current OP.

6.) @DaveSyer 对这个相关问题的回答 建议在 application.properties 中设置 endpoints.info.sensitive=true 以打开所有端点.这让我找到 Spring 关于端点的文档页面，建议在 application.properties 中设置 endpoints.name.sensitive=false，其中 name 是被改变的端点的名称.但是在application.properties 中设置endpoints.api-url.sensitive=false 并不能解决问题，eclipse 给出了一个警告，endpoints.api-url.敏感=假是一个未知的属性.我是否必须在其他地方定义属性映射，或者添加 / 以使其成为 endpoints./api-url.sensitive=false?如何获得用于 /api-url 端点的正确名称，这是解决此问题的正确方法吗?

6.) @DaveSyer's answer to this related question suggests setting endpoints.info.sensitive=true in application.properties to make ALL endpoints open. This got me to find this documentation page from Spring about endpoints, which suggests setting the endpoints.name.sensitive=false in application.properties, where name is the name of the end point being altered. But setting endpoints.api-url.sensitive=false in application.properties does not resolve the problem, and eclipse gives a warning that endpoints.api-url.sensitive=false is an unknown property. Do I have to define the property mapping somewhere else, or perhaps add the / to make it endpoints./api-url.sensitive=false? How can I get the correct name to use for the /api-url endpoint, and is this the correct approach to solving this problem?

7.) 我阅读了这篇其他帖子，并使用其示例在 Spring Boot 应用程序的主 Application 类中创建了一个 Filter Registration Bean，但调试日志仍然显示相同的消息，表明 /api-url 有一个空的过滤器列表.这是我添加到 Application 类的代码:

7.) I read this other posting, and used its example to create a Filter Registration Bean inside the main Application class of the Spring Boot app, but the debug logs still show the same message indicating that the /api-url has an empty filter list. Here is the code that I added to the Application class:

@Bean
public FilterRegistrationBean shallowEtagHeaderFilter() {
    FilterRegistrationBean registration = new FilterRegistrationBean();
    registration.setFilter(new ShallowEtagHeaderFilter());
    registration.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
    registration.addUrlPatterns("/api-url");
    return registration;
}

本研究可能采用的方法包括:

The possible approaches from this research include:

1.) adding something to `application.properties`   
2.) adding `@Bean` annotation to inject a `ServletContextInitializer`   
3.) adding some Spring Security config using Java Configuration.   
4.) having Application.java extend SpringBootServletInitializer and   
        then overriding methods.  
5.) adding @Bean annotation to add a filter registration bean

推荐答案

我认为您所做的是使/error 视图成为受保护的资源.要么打开它，要么停止使用 @EnableWebSecurity(它会关闭一些 Spring Boot 本来会为你做的事情).

I think what you have done is made the /error view a protected resource. Either open it up or stop using @EnableWebSecurity (it switches off some stuff that spring boot would have done for you otherwise).

这篇关于/api-url 在 Spring Boot Security 中有一个空的过滤器列表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！