1. 首页
  2. 问答
  3. Spring Boot/h2-console在Spring Security 1.5.2中引发403问题

Spring Boot/h2-console在Spring Security 1.5.2中引发403问题

2017-05-05 112 views
0

我们最近从Spring Boot 1.4.1升级到1.5.2。 1.5.2的一个特点是,如果Spring Security是包的一部分,那么它受到基本身份验证的保护。即使经过基本身份验证,我仍无法访问/h2-console。它抛出403禁止。Spring Boot/h2-console在Spring Security 1.5.2中引发403问题

application.yml

spring: 
    datasource: 
    driver-class-name: org.h2.Driver 
    url: jdbc:h2:file:../app-db/app_db;AUTO_SERVER=TRUE 
    username: sa 
    password: sa 
    initialize: false 
    jpa: 
    hibernate: 
     ddl-auto: validate 
    show-sql: true 
    database-platform: org.hibernate.dialect.H2Dialect 
    h2: 
    console: 
     enabled: true 
     settings: 
     web-allow-others: true 
    allowed: 
    resources: /h2-console/**

我甚至明确允许/h2-console/**

httpSecurity.authorizeRequests() 
       .antMatchers(allowedResources)     
       .permitAll()

试图访问localhost:8080/h2-console时,我不断收到403。 我试过很多设置,以及将:

management.security.enabled=true 
security.basic.enabled=true

但我无法访问H2控制台。

来源

2017-05-05 Tuhin Kanti Sharma

+0

你有没有提到这个[示例](https://github.com/spring-projects/spring-boot/tree/master/spring-boot-samples/spring-boot-sample-web-secure-custom)on github在弹簧启动与安全 –

回答

1

我启用了调试日志,看到这一点:

o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /h2-console/; Attributes: [hasAnyRole('ROLE_USER','ROLE_ACTUATOR')] 
2017-05-05 13:16:09.304 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframew[email protected]33d2af72: Principal: or[email protected]7371d5f4: Dn: cn=XYZ,ou=XYZ,ou=Active,ou=ABC_USERS,dc=internal,dc=organization,dc=com; Username: uname; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 86EF50EF548ED4DBCE4D661AEC93F88C; Granted Authorities: ROLE_ADMIN 
2017-05-05 13:16:09.305 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased  : Voter: org.sp[email protected]51d3d69, returned: -1 
2017-05-05 13:16:09.305 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.w.a.ExceptionTranslationFilter  : Access is denied (user is not anonymous); delegating to AccessDeniedHandler

我意识到,我的用户没有ROLE_USER。我假设ROLE_ADMIN>ROLE_USER,但我仍然需要更好地理解这一点。

我我的设置更新为:

security: 
    basic: 
    enabled: true 
    authorize-mode: NONE

我现在能够访问/h2-console/**

来源

2017-05-05 20:25:08

+0

你可以在我的答案中看到我的意见。 – chaoluo

+0

这不会破坏身份验证吗? –

+0

授权已启用,因此如果用户没有分配角色,她将被拒绝访问 –

0 
@Configuration 
@ConditionalOnClass(WebSecurityConfigurerAdapter.class) 
@ConditionalOnBean(ObjectPostProcessor.class) 
@ConditionalOnProperty(prefix = "security.basic", name = "enabled", matchIfMissing = true) 
static class H2ConsoleSecurityConfiguration

你可以从春天启动源中读取,如果启用了基本的,弹簧启动将加载弹簧安全配置与H2ConsoleSecurityConfigurer为了SecurityProperties.BASIC_AUTH_ORDER - 10,认证是对安全配置的基础。这是默认的安全配置:

public void configure(HttpSecurity http) throws Exception { 
      String path = this.console.getPath(); 
      String antPattern = path.endsWith("/")?path + "**":path + "/**"; 
      HttpSecurity h2Console = http.antMatcher(antPattern); 
      h2Console.csrf().disable(); 
      h2Console.httpBasic(); 
      h2Console.headers().frameOptions().sameOrigin(); 
      // the default role is `USER` and `management.security.roles` 
      String[] roles = (String[])this.security.getUser().getRole().toArray(new String[0]); 
      // this value is base `security.basic.authorize-mode`, `role`, 'authenticated' and `none` 
      SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode(); 
      if(mode != null && mode != SecurityAuthorizeMode.ROLE) { 
       if(mode == SecurityAuthorizeMode.AUTHENTICATED) { 
        ((AuthorizedUrl)http.authorizeRequests().anyRequest()).authenticated(); 
       } 
      } else { 
       ((AuthorizedUrl)http.authorizeRequests().anyRequest()).hasAnyRole(roles); 
      } 

     }

如果你觉得默认的是不适合你,你可以创建一个新的配置,以覆盖默认的一个。

@Configuration 
// before the default configuration 
@Order(SecurityProperties.BASIC_AUTH_ORDER - 11) 
class CustomH2ConsoleSecurityConfigurer extends WebSecurityConfigurerAdapter { 

     @Autowired 
     private H2ConsoleProperties console; 

     @Override 
     public void configure(HttpSecurity http) throws Exception { 
      String path = this.console.getPath(); 
      String antPattern = (path.endsWith("/") ? path + "**" : path + "/**"); 
      HttpSecurity h2Console = http.antMatcher(antPattern); 
      h2Console.csrf().disable(); 
      h2Console.httpBasic(); 
      h2Console.headers().frameOptions().sameOrigin(); 
      // config as you like 
      http.authorizeRequests().anyRequest().permitAll(); 
     } 

    }

来源

2017-05-05 13:37:39 chaoluo

相关问题

 相关问题