/ api-url在Spring Boot Security中有一个空的过滤器列表 [英] /api-url has an empty filter list in Spring Boot Security
问题描述
具有REST服务的Spring Boot应用程序必须允许公共访问某些服务,同时将其他服务限制为仅授权用户。当 configure(WebSecurity web)
方法添加到 SecurityConfig
类时,如下所示, 403错误
被发送到用户的Web浏览器,Spring Boot日志文件给出错误声明:
A Spring Boot app with REST services has to allow public access to certain services, while restricting other services to only authorized users. When a configure(WebSecurity web)
method is added to the SecurityConfig
class as shown below, a 403 error
is sent to the user's web browser, and the Spring Boot log files give an error stating that:
/registration-form has an empty filter list
需要进行哪些具体更改是否可以使用以下代码将 / registration-form
服务成功提供给任何用户,包括匿名/未经过身份验证的用户?
What specific changes need to be made to the code below to get the /registration-form
service to be successfully served up to any user, including anonymous/un-authenticated users?
这是 SecurityConfig
类:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers("/registration-form");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.and()
.httpBasic().and()
.authorizeRequests()
.antMatchers("/login1").permitAll()
.antMatchers("/login2").permitAll()
.anyRequest().authenticated();
}
}
这是完整的日志:
2016-04-07 16:42:18.548 INFO 8937 --- [nio-8001-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet'
2016-04-07 16:42:18.548 INFO 8937 --- [nio-8001-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started
2016-04-07 16:42:18.656 INFO 8937 --- [nio-8001-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 108 ms
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/css/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/js/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/images/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/**/favicon.ico'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/error'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/registration-form'; against '/registration-form'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.security.web.FilterChainProxy : /registration-form has an empty filter list
在 pom.xml
中,唯一对安全性的引用如下:
In pom.xml
, the only reference to security is the following:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
我查看了 pom.xml中的版本号
,我能找到的最接近的东西是:
I looked around for a version number in pom.xml
, and the closest thing I could find was:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.3.0.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
正在进行研究
1。)这篇文章很好地解释了 WebSecurity
和 HttpSecurity
之间的区别,因此解释了为什么我在上面显示的代码中包含 WebSecurity
和 HttpSecurity
。
1.) This other post gives a good explanation of the difference between WebSecurity
and HttpSecurity
, and thus explains why I included both WebSecurity
and HttpSecurity
in my code shown above.
2。)这篇2012年的帖子描述了一个类似的错误和解决方案,但一般使用 xml配置
专注于旧版本的Spring Security,并不是特定于Spring引导,带 Java配置
。
2.) This 2012 post describes a similar error and solution, but is focused on an old version of Spring Security in general using xml configuration
, and is not specific to Spring Boot with Java Configuration
.
3。)此博客条目解释了旧的xml配置文件,如 web.xml
在很大程度上被新的应用程序所取代.properties
Spring Boot中的文件。因此,我不确定当前问题的解决方案是添加 application.properties
,还是添加一些Java Config for Spring Security。
3.) This blog entry explains that old xml config files like web.xml
are largely replaced by the new application.properties
file in Spring Boot. I am therefore not sure whether the solution to the present problem is in adding something application.properties
, or adding some Java Config for Spring Security.
4。)此博客条目描述使用 @Bean
注释注入 ServletContextInitializer
bean,它将一个过滤器添加到一个端点,该端点由Spring Boot Controller类中的 @RequestMapping
注释描述。该示例是一个多部分文件过滤器,但我想知道是否可以使用此方法添加适当的过滤器来解决当前的OP错误消息。
4.) This blog entry describes using the @Bean
annotation to inject a ServletContextInitializer
bean which adds a filter to an end point that was described by @RequestMapping
annotation in a Spring Boot Controller class. The example is a multi-part file filter, but I wonder if this approach could be used to add an appropriate filter to resolve the current OP error message.
5。) 2014年的帖子介绍了两种在Spring Boot中自定义 ServletContextInitializer
行为的方法。一种方法是让 Application.java
类扩展 SpringBootServletInitializer
,然后覆盖 configure( )
和 onStartup()
方法。显示的另一种方法是使用 server
命名空间向 application.properties
文件添加行。可以在 application.properties
中设置的公共属性列表在此链接,但我无法确定要设置哪些属性来解决当前OP定义的问题。
5.) This 2014 posting describes two approaches to customizing the behavior of a ServletContextInitializer
in Spring Boot. One approach is to have the Application.java
class extend SpringBootServletInitializer
and then override the configure()
and onStartup()
methods. The other approach shown is to add lines to the application.properties
file using the server
namespace. A list of common properties that can be set in application.properties
is given at this link, but I could not determine which properties to set to resolve the problem defined by the current OP.
6。)@ DaveSyer回答此相关问题建议在 application.properties
中设置 endpoints.info.sensitive = true
使所有端点打开。这让我找到来自Spring的关于端点的文档页面,建议在应用程序中设置
,其中 endpoints.name.sensitive = false
。 properties name
是要更改的终点的名称。但是在 application.properties
中设置 endpoints.api-url.sensitive = false
并不能解决问题,而eclipse给出了警告 endpoints.api-url.sensitive = false是一个未知属性
。我是否必须在其他地方定义属性映射,或者可能添加 /
以使其 endpoints./api-url.sensitive=false
?如何获得用于 / api-url
端点的正确名称,这是解决此问题的正确方法吗?
6.) @DaveSyer's answer to this related question suggests setting endpoints.info.sensitive=true
in application.properties
to make ALL endpoints open. This got me to find this documentation page from Spring about endpoints, which suggests setting the endpoints.name.sensitive=false
in application.properties
, where name
is the name of the end point being altered. But setting endpoints.api-url.sensitive=false
in application.properties
does not resolve the problem, and eclipse gives a warning that endpoints.api-url.sensitive=false is an unknown property
. Do I have to define the property mapping somewhere else, or perhaps add the /
to make it endpoints./api-url.sensitive=false
? How can I get the correct name to use for the /api-url
endpoint, and is this the correct approach to solving this problem?
7。)我读过这个其他帖子,并使用其示例在主应用程序$中创建
过滤器注册Bean
c $ c> Spring Boot应用程序的类,但调试日志仍然显示相同的消息,表明 / api-url有一个空的过滤器列表
。这是我添加到应用程序
类的代码:
7.) I read this other posting, and used its example to create a Filter Registration Bean
inside the main Application
class of the Spring Boot app, but the debug logs still show the same message indicating that the /api-url has an empty filter list
. Here is the code that I added to the Application
class:
@Bean
public FilterRegistrationBean shallowEtagHeaderFilter() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(new ShallowEtagHeaderFilter());
registration.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
registration.addUrlPatterns("/api-url");
return registration;
}
此研究的可行方法包括:
The possible approaches from this research include:
1.) adding something to `application.properties`
2.) adding `@Bean` annotation to inject a `ServletContextInitializer`
3.) adding some Spring Security config using Java Configuration.
4.) having Application.java extend SpringBootServletInitializer and
then overriding methods.
5.) adding @Bean annotation to add a filter registration bean
推荐答案
这就是我限制某些网址的地方,有些是公开的
This is what i have where i restrict some URLs and some are public
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(actuatorEndpoints()).hasRole(userConfig.getAdminRole())
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/signup",
"/payment/confirm",
"/api/address/zipcodes/**",
"/user/password/reset",
"/user/password/change",
"/user/email/verify",
"/password/update",
"/email/verify",
"/new-products/**").permitAll()
.antMatchers("/api/**", "/files/**").authenticated();
}
这篇关于/ api-url在Spring Boot Security中有一个空的过滤器列表的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!