使用Spring引导的安全配置

Question

我为Spring-Boot创建了一个Spring Security配置类。我的登录页面有资源css，js和ico文件。由于安全原因资源被拒绝，并且每次都重定向到登录页面。为什么EnableWebMVCSecurity不添加Classpath资源位置。在第二个片段中更改代码后，添加I Classpath资源位置。不明白我缺少的第一个代码片段中的资源。

@Configuration 

/* 
* Enable Spring Security’s web security support and provide the Spring MVC integration 
* It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration. 
*/ 
@EnableWebMvcSecurity 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

/** 
* The configure(HttpSecurity) method defines with URL paths should be 
    * secured and which should not. 
    */ 
    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http 
     .authorizeRequests() 
      .anyRequest().authenticated(); 

//  There is a custom "/login" page specified by loginPage(), and everyone 
//  is allowed to view it.  
     http 
      .formLogin() 
       .loginPage("/login.html") 
       .permitAll() 
       .and() 
      .logout() 
       .permitAll().logoutSuccessUrl("/login.html"); 
    } 

    @Configuration 
    protected static class AuthenticationConfiguration extends 
      GlobalAuthenticationConfigurerAdapter { 
     @Override 
     public void init(AuthenticationManagerBuilder auth) throws Exception { 
//   As for the configure(AuthenticationManagerBuilder) method, it sets up 
//   an in-memory user store with a single user. That user is given a 
//   username of "user", a password of "password", and a role of "USER". 
      auth 
        .inMemoryAuthentication() 
        .withUser("user@domain.com").password("password").roles("USER"); 
     } 
    } 

我得到这个工作，通过改变代码

@Configuration 
/* 
* Enable Spring Security’s web security support and provide the Spring MVC integration 
* It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration. 
*/ 
public class WebSecurityConfig{ 

    @Bean 
    public ApplicationSecurity applicationSecurity() { 
     return new ApplicationSecurity(); 
    } 

    @Bean 
    public AuthenticationSecurity authenticationSecurity() { 
     return new AuthenticationSecurity(); 
    } 

    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) 
    protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter { 
     @Override 
     protected void configure(HttpSecurity http) throws Exception { 
      http 
      .authorizeRequests() 
       .anyRequest().authenticated(); 
      http 
       .formLogin() 
        .loginPage("/login.html") 
        .permitAll() 
        .and() 
       .logout() 
        .permitAll().logoutSuccessUrl("/login.html"); 

     } 
    } 

    @Order(Ordered.HIGHEST_PRECEDENCE + 10) 
    protected static class AuthenticationSecurity extends 
      GlobalAuthenticationConfigurerAdapter { 
     @Override 
     public void init(AuthenticationManagerBuilder auth) throws Exception { 
      auth 
      .inMemoryAuthentication() 
      .withUser("user@domain.com").password("password").roles("USER"); 

     } 
    } 
} 

改变我注意到，忽略路径添加到过滤器的代码后，我看到在日志中的以下内容：

 
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain  : Creating filter chain: Ant [pattern='/css/**'], [] 
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain  : Creating filter chain: Ant [pattern='/js/**'], [] 
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain  : Creating filter chain: Ant [pattern='/images/**'], [] 
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain  : Creating filter chain: Ant [pattern='/**/favicon.ico'], [] 
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain  : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4e3e0069, org.springframework.security.web.context.SecurityContextPersistenceFilter@3d2dd0cf, org.springframework.security.web.header.HeaderWriterFilter@33fc3b02, org.springframework.security.web.csrf.CsrfFilter@9b7a3ac, org.springframework.security.web.authentication.logout.LogoutFilter@267237ef, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@129495ef, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@7db0a467, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@764d1dbd, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@25a5268d, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@15c01d0c, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@37818a3b, org.springframework.security.web.session.SessionManagementFilter@3fe57e49, org.springframework.security.web.access.ExceptionTranslationFilter@4278af59, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@424bef91] 

Answer 1

根据docs，您已使用@EnableWebSecurity禁用了第一个示例中的弹簧引导自动配置，因此您必须明确忽略所有的sta手动抽取资源。在第二个示例中，您只需提供一个WebSecurityConfigurer，这是在默认自动配置之上添加的。

Answer 2

创建配置文件扩展WebSecurityConfigurerAdapter和注释类@EnableWebSecurity

您可以覆盖像configure(HttpSecurity http)方法来添加基本的安全像下面

@Configuration 
@EnableWebSecurity 
public class AppWebSecurityConfigurer extends WebSecurityConfigurerAdapter { 
    @Override 
    protected void configure(HttpSecurity http) throws Exception {  
     http 
      .csrf().disable() 
      .authorizeRequests() 
       .anyRequest().permitAll(); 
     } 
}