/ api-url在Spring Boot Security中有一个空的过滤器列表 [英] /api-url has an empty filter list in Spring Boot Security

问题描述

具有REST服务的Spring Boot应用程序必须允许公共访问某些服务，同时将其他服务限制为仅授权用户。当 configure（WebSecurity web）方法添加到 SecurityConfig 类时，如下所示， 403错误被发送到用户的Web浏览器，Spring Boot日志文件给出错误声明：

A Spring Boot app with REST services has to allow public access to certain services, while restricting other services to only authorized users. When a configure(WebSecurity web) method is added to the SecurityConfig class as shown below, a 403 error is sent to the user's web browser, and the Spring Boot log files give an error stating that:

/registration-form has an empty filter list  

需要进行哪些具体更改是否可以使用以下代码将 / registration-form 服务成功提供给任何用户，包括匿名/未经过身份验证的用户？

What specific changes need to be made to the code below to get the /registration-form service to be successfully served up to any user, including anonymous/un-authenticated users?

这是 SecurityConfig 类：

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers("/registration-form");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .formLogin()
                .and()
            .httpBasic().and()
            .authorizeRequests()
                .antMatchers("/login1").permitAll()
                .antMatchers("/login2").permitAll()
                .anyRequest().authenticated();
    }
}

这是完整的日志：

2016-04-07 16:42:18.548  INFO 8937 --- [nio-8001-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring FrameworkServlet 'dispatcherServlet'
2016-04-07 16:42:18.548  INFO 8937 --- [nio-8001-exec-1] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization started
2016-04-07 16:42:18.656  INFO 8937 --- [nio-8001-exec-1] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization completed in 108 ms
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/registration-form'; against '/css/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/registration-form'; against '/js/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/registration-form'; against '/images/**'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/registration-form'; against '/**/favicon.ico'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/registration-form'; against '/error'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/registration-form'; against '/registration-form'
2016-04-07 16:42:18.702 DEBUG 8937 --- [nio-8001-exec-1] o.s.security.web.FilterChainProxy        : /registration-form has an empty filter list

在 pom.xml 中，唯一对安全性的引用如下：

In pom.xml, the only reference to security is the following:

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

我查看了 pom.xml中的版本号，我能找到的最接近的东西是：

I looked around for a version number in pom.xml, and the closest thing I could find was:

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>1.3.0.RELEASE</version>
    <relativePath /> <!-- lookup parent from repository -->
</parent>

---

正在进行研究

1。）这篇文章很好地解释了 WebSecurity 和 HttpSecurity 之间的区别，因此解释了为什么我在上面显示的代码中包含 WebSecurity 和 HttpSecurity 。

1.) This other post gives a good explanation of the difference between WebSecurity and HttpSecurity, and thus explains why I included both WebSecurity and HttpSecurity in my code shown above.

2。）这篇2012年的帖子描述了一个类似的错误和解决方案，但一般使用 xml配置专注于旧版本的Spring Security，并不是特定于Spring引导，带 Java配置。

2.) This 2012 post describes a similar error and solution, but is focused on an old version of Spring Security in general using xml configuration, and is not specific to Spring Boot with Java Configuration.

3。）此博客条目解释了旧的xml配置文件，如 web.xml 在很大程度上被新的应用程序所取代.properties Spring Boot中的文件。因此，我不确定当前问题的解决方案是添加 application.properties ，还是添加一些Java Config for Spring Security。

3.) This blog entry explains that old xml config files like web.xml are largely replaced by the new application.properties file in Spring Boot. I am therefore not sure whether the solution to the present problem is in adding something application.properties, or adding some Java Config for Spring Security.

4。）此博客条目描述使用 @Bean 注释注入 ServletContextInitializer bean，它将一个过滤器添加到一个端点，该端点由Spring Boot Controller类中的 @RequestMapping 注释描述。该示例是一个多部分文件过滤器，但我想知道是否可以使用此方法添加适当的过滤器来解决当前的OP错误消息。

4.) This blog entry describes using the @Bean annotation to inject a ServletContextInitializer bean which adds a filter to an end point that was described by @RequestMapping annotation in a Spring Boot Controller class. The example is a multi-part file filter, but I wonder if this approach could be used to add an appropriate filter to resolve the current OP error message.

5。） 2014年的帖子介绍了两种在Spring Boot中自定义 ServletContextInitializer 行为的方法。一种方法是让 Application.java 类扩展 SpringBootServletInitializer ，然后覆盖 configure（ ）和 onStartup（）方法。显示的另一种方法是使用 server 命名空间向 application.properties 文件添加行。可以在 application.properties 中设置的公共属性列表在此链接，但我无法确定要设置哪些属性来解决当前OP定义的问题。

5.) This 2014 posting describes two approaches to customizing the behavior of a ServletContextInitializer in Spring Boot. One approach is to have the Application.java class extend SpringBootServletInitializer and then override the configure() and onStartup() methods. The other approach shown is to add lines to the application.properties file using the server namespace. A list of common properties that can be set in application.properties is given at this link, but I could not determine which properties to set to resolve the problem defined by the current OP.

6。）@ DaveSyer回答此相关问题建议在 application.properties 中设置 endpoints.info.sensitive = true 使所有端点打开。这让我找到来自Spring的关于端点的文档页面，建议在应用程序中设置 endpoints.name.sensitive = false 。 properties ，其中 name 是要更改的终点的名称。但是在 application.properties 中设置 endpoints.api-url.sensitive = false 并不能解决问题，而eclipse给出了警告 endpoints.api-url.sensitive = false是一个未知属性。我是否必须在其他地方定义属性映射，或者可能添加 / 以使其 endpoints./api-url.sensitive=false ？如何获得用于 / api-url 端点的正确名称，这是解决此问题的正确方法吗？

6.) @DaveSyer's answer to this related question suggests setting endpoints.info.sensitive=true in application.properties to make ALL endpoints open. This got me to find this documentation page from Spring about endpoints, which suggests setting the endpoints.name.sensitive=false in application.properties, where name is the name of the end point being altered. But setting endpoints.api-url.sensitive=false in application.properties does not resolve the problem, and eclipse gives a warning that endpoints.api-url.sensitive=false is an unknown property. Do I have to define the property mapping somewhere else, or perhaps add the / to make it endpoints./api-url.sensitive=false? How can I get the correct name to use for the /api-url endpoint, and is this the correct approach to solving this problem?

7。）我读过这个其他帖子，并使用其示例在主应用程序过滤器注册Bean c $ c> Spring Boot应用程序的类，但调试日志仍然显示相同的消息，表明 / api-url有一个空的过滤器列表。这是我添加到应用程序类的代码：

7.) I read this other posting, and used its example to create a Filter Registration Bean inside the main Application class of the Spring Boot app, but the debug logs still show the same message indicating that the /api-url has an empty filter list. Here is the code that I added to the Application class:

@Bean
public FilterRegistrationBean shallowEtagHeaderFilter() {
    FilterRegistrationBean registration = new FilterRegistrationBean();
    registration.setFilter(new ShallowEtagHeaderFilter());
    registration.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
    registration.addUrlPatterns("/api-url");
    return registration;
}

此研究的可行方法包括：

The possible approaches from this research include:

1.) adding something to `application.properties`   
2.) adding `@Bean` annotation to inject a `ServletContextInitializer`   
3.) adding some Spring Security config using Java Configuration.   
4.) having Application.java extend SpringBootServletInitializer and   
        then overriding methods.  
5.) adding @Bean annotation to add a filter registration bean

推荐答案

这就是我限制某些网址的地方，有些是公开的

This is what i have where i restrict some URLs and some are public

 @Override
        public void configure(HttpSecurity http) throws Exception {
            http.csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests() 
                .antMatchers(actuatorEndpoints()).hasRole(userConfig.getAdminRole())
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                .antMatchers("/signup",
                             "/payment/confirm",
                             "/api/address/zipcodes/**",
                             "/user/password/reset",
                             "/user/password/change",
                             "/user/email/verify",
                             "/password/update",
                             "/email/verify",
                             "/new-products/**").permitAll()
                .antMatchers("/api/**", "/files/**").authenticated();
        }

这篇关于/ api-url在Spring Boot Security中有一个空的过滤器列表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！