主页 / 问题 / 1445941
Accepted
Artur Vartanyan
Asked:2022-09-05 20:30:38 +0000 UTC2022-09-05 20:30:38 +0000 UTC

在 Spring Security 中禁用匿名时,所有 url 都会自动发出 403

  • 772

有一个使用Spring Security的Spring Boot项目。

授权过程通过会话,成功授权后,应用程序保存cookie信息。
对于/login并且/logout我将 url 访问设置为permitAll,并将 url 的其余部分绘制为已验证

当用户在未经授权的情况下敲击安全 url 时,它表示anonymousUser正在运行。
调试时,很明显,如果Spring Security没有收到来自授权用户的请求,那么它会自动替换为anonymousUser

作为Spring Security Configuration中的一个解决方案,我关闭了http.build匿名访问 ( anonymous.disable()),但是这样我的所有 url,包括那些,/login/logout属于403 Forbidden.

怎么回事?如何解决问题?

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    public static final String SESSION_ATTRIBUTE = "JSESSIONID";

    @Bean
    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();
    }

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration)
            throws Exception {
        return authenticationConfiguration.getAuthenticationManager();
    }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring()
                .antMatchers("/v3/api-docs/**")
                .antMatchers("configuration/**")
                .antMatchers("/swagger*/**")
                .antMatchers("/webjars/**")
                .antMatchers("/swagger-ui/**");
    }

    @Bean
    public CorsConfiguration corsConfiguration() {
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowCredentials(true);
        corsConfiguration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
        corsConfiguration.setAllowedOriginPatterns(List.of("*:[*]"));
        corsConfiguration.setAllowedHeaders(List.of("*"));
        corsConfiguration.setExposedHeaders(List.of("*"));
        corsConfiguration.setMaxAge(1000L);
        return corsConfiguration;
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .cors().configurationSource(cors -> corsConfiguration()).and()
                .csrf().disable()
                .anonymous().disable()
                .httpBasic().disable()
                .logout().invalidateHttpSession(true).deleteCookies(SESSION_ATTRIBUTE)
                .and()
                .authorizeRequests()
                .antMatchers("/api/authentication/login", "/api/authentication/logout").permitAll()
                .antMatchers("/api/file/*", "/api/report/*", "/api/user/information/*").authenticated();

        return http.build();
    }
}

构建.gradle:

dependencies {
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web', version: '2.7.2'
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-jdbc', version: '2.7.2'
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-security', version: '2.7.2'
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-validation', version: '2.7.2'

    implementation group: 'com.microsoft.sqlserver', name: 'mssql-jdbc', version: '9.4.1.jre16'

    implementation group: 'org.json', name: 'json', version: '20220320'

    implementation group: 'org.springdoc', name: 'springdoc-openapi-ui', version: '1.6.10'

    implementation group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'

    compileOnly 'org.projectlombok:lombok:1.18.24'

    annotationProcessor 'org.projectlombok:lombok:1.18.24'
}
java

0 个回答

  1. 也许,当然,我对睡眠不足一无所知,但这里的一切似乎都很平庸。
    Spring 完全按照您所写的那样:
    您不允许他让任何人进入这些页面 - 他不允许他!

    只允许访问页面/login/logoutfilterChain()

    .formLogin()
    .loginPage("/login")
    .permitAll()
    .and()
.logout()
    .permitAll()

    或陈词滥调:

    .antMatchers("/login", "/logout").permitAll()

    总法:

        @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .cors().configurationSource(cors -> corsConfiguration()).and()
                .csrf().disable()
                .anonymous().disable()
                .httpBasic().disable()
                .formLogin()
                    .loginPage("/login")
                    .permitAll()
                    .and()
                .logout()
                    .permitAll()
                    .invalidateHttpSession(true) // дополнил вашими правилами
                    .deleteCookies(SESSION_ATTRIBUTE) // дополнил вашими правилами
                  .and()
                .authorizeRequests()
                .antMatchers("/api/authentication/login", "/api/authentication/logout").permitAll()
                .antMatchers("/api/file/*", "/api/report/*", "/api/user/information/*").authenticated();

        return http.build();
    }
    • 0
  2. Best Answer

    如果filterChain这样配置,那么amonymous用户不会有问题:

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .cors().configurationSource(cors -> corsConfiguration()).and()
                .csrf().disable()
                .httpBasic().disable()
                .logout().invalidateHttpSession(true).deleteCookies(SESSION_ATTRIBUTE)
                .and()
                .authorizeRequests()
                .antMatchers("/api/authentication/login", "/api/authentication/logout").permitAll()
                .antMatchers("/api/**").authenticated();

        return http.build();
    }
    • 0

相关问题