使用Spring Security可以公开访问JSF资源 [英] Make JSF resources publicly accessible with Spring Security

问题描述

我在jsf应用程序中实现了spring security。除静态资源需要身份验证外，一切正常。这是我的配置

I have implemented spring security in my jsf application. Everything is working fine except static resources require authentication. This is my configuration

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();

    http.authorizeRequests()
            .antMatchers("/register", "/resources/**").permitAll()
            .anyRequest().authenticated()
            .and().formLogin().loginPage("/login").permitAll()
           .usernameParameter("username").passwordParameter("password")
            .and().exceptionHandling().accessDeniedPage("/Access_Denied");
}

在进行谷歌搜索之后，大多数解决方案都是添加mvc资源标记。 / p>

After doing some google search, most solutions was to add mvc resource tag.

  <mvc:resources mapping="/resources/**" location="/resources/"
    cache-period="31556926"/>

我找到了类似的注释并为此添加了配置类

I found Similar annotation and added a configuration class for this

@Configuration
@EnableWebMvc
public class WebMvcConfig extends WebMvcConfigurerAdapter {

    // equivalents for <mvc:resources/> tags
    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        registry.addResourceHandler("/resources/**").addResourceLocations("/resources/").setCachePeriod(31556926);
    }

    // equivalent for <mvc:default-servlet-handler/> tag
    @Override
    public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
        configurer.enable();
    }
}

但静态资源仍需要身份验证。如何使这项工作有一些帮助。

But still static resources require authentication. Some help would be nice about how to make this work.

注意：我的资源放在 / src / main / webapp / resources / { CSS | JS |图像} 。问题是如果用户没有登录，css的效果，js不会在登录页面中显示。用户登录一次后，登录后进入登录页面，出现css效果。

Note: my resources are placed in /src/main/webapp/resources/{css|js|image}. And the problem is if user is not logged in, effect of css, js does not show in the login page. After a user is logged in once, then come to login page after login, css effect appears.

推荐答案

JSF托管库资源是从 /javax.faces.resource / ** 路径提供。因此，您需要公开访问该路径：

JSF managed library resources are served from the /javax.faces.resource/** path. So you need to make that path publicly accessible:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();

    http.authorizeRequests()
        .antMatchers("/register", "/javax.faces.resource/**").permitAll()
        .antMatchers("/**").authenticated()
        .and().formLogin().loginPage("/login").permitAll()
        .usernameParameter("username").passwordParameter("password")
        .and().exceptionHandling().accessDeniedPage("/Access_Denied");
}

您可能还希望浏览器缓存这些资源。然后，将此部分添加到您的配置中，为每个与 /javax.faces.resource / ** 的请求匹配的响应添加标头编写器：

You might also want those resources to be cached by the browser. Then, add this piece to your configuration, which adds a header writer for each of the responses that match a request for /javax.faces.resource/**:

http.headers()
        .addHeaderWriter(new DelegatingRequestMatcherHeaderWriter(
                new AntPathRequestMatcher("/javax.faces.resource/**"),
                new HeaderWriter() {

                    @Override
                    public void writeHeaders(HttpServletRequest request,
                            HttpServletResponse response) {
                        response.addHeader("Cache-Control", "private, max-age=86400");
                    }
                }))
        .defaultsDisabled();

参见：

• 什么是JSF资源库以及如何使用它？

• What is the JSF resource library for and how should it be used?

这篇关于使用Spring Security可以公开访问JSF资源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！