在使用 Spring Security 3.2.0 保护应用程序并提供 javascript 文件时,如何设置内容类型标头?

Posted

技术标签:

【中文标题】在使用 Spring Security 3.2.0 保护应用程序并提供 javascript 文件时,如何设置内容类型标头?【英文标题】:How can I set the content type header when securing an application with Spring Security 3.2.0 and serving javascript files? 【发布时间】:2014-02-22 02:45:46 【问题描述】:

我有一些 js 文件通过码头服务器和 spring security (3.2.0) 提供给 Chrome。

自从添加了 Spring Security 后,浏览器现在抱怨脚本加载为 text/html 而不是 application/javascript。如何配置我的 WebSecurityConfigurerAdapter 以正确设置 mime 类型?

我的配置如下所示:

@Autowired
public void configureGlobal( AuthenticationManagerBuilder authBuilder ) throws Exception

LOGGER.info( "configureGlobal()" );
DaoAuthenticationConfigurer<AuthenticationManagerB uilder, UserDetailsServiceImpl> userServiceConfigurer = authBuilder.userDetailsService(
new UserDetailsServiceImpl() );

// TODO temporary until we get angular to play well with the required csrf token.
HttpSecurity httpSecurity = getHttp();
httpSecurity.csrf().disable();

ExpressionUrlAuthorizationConfigurer<HttpSecurity> .ExpressionInterceptUrlRegistry interceptUrlRegistry = httpSecurity.authorizeRequests();
interceptUrlRegistry.anyRequest().authenticated();

httpSecurity.authorizeRequests().antMatchers( "/unsecure/**" ).permitAll();
httpSecurity.authorizeRequests().antMatchers( HttpMethod.GET, "/lib/**" ).permitAll();

FormLoginConfigurer<HttpSecurity> formLoginConfigurer = httpSecurity.formLogin();
formLoginConfigurer.loginPage( "/unsecure/login.html" ).permitAll();

Chrome 控制台中的错误是:

Resource interpreted as Stylesheet but transferred with MIME type text/html:     "http://localhost:8080/maggie/unsecure/login.html". login.html:18
Resource interpreted as Script but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:31
Resource interpreted as Script but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:28
Resource interpreted as Script but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:33
Resource interpreted as Script but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:30
Resource interpreted as Stylesheet but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:9
Refused to execute script from 'http://localhost:8080/maggie/lib/boo...otstrap.min.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. login.html:1
Refused to execute script from 'http://localhost:8080/maggie/lib/angular/angular.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. login.html:1
Refused to execute script from 'http://localhost:8080/maggie/lib/ang...gular-route.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. login.html:1
Refused to execute script from 'http://localhost:8080/maggie/unsecure/authenticate.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.

禁用标题(httpSecurity.headers().disable()) 只是给了我一个不同的错误:

Resource interpreted as Stylesheet but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:18
Uncaught SyntaxError: Unexpected token <

【问题讨论】:

默认情况下 Spring Security 不设置内容类型。请仔细检查禁用 Spring Security 是否不能解决问题。如果您仍有问题,请创建一个 JIRA。请注意,Spring Security 可以使用自定义标头响应和 DelegatingRequestMatcherHeaderWriter 设置内容类型。请参阅docs.spring.io/spring-securit...ingle/#headers 了解更多信息。但是,它可能应该是您使用的任何东西,它从设置内容类型的 jar 中提供资源。例如,Spring MVC 的资源支持会为您设置内容类型。 【参考方案1】:

你可以参考这个answer。

而且,对于 javascript 文件,最好禁用它们的安全性:

  @Override
  public void configure(WebSecurity web) throws Exception 
    web.ignoring().antMatchers("/the_js_path/**");
  

【讨论】:

【参考方案2】:

问题原来是对 httpSecurity 的调用排序。

当我输入时:

httpSecurity.authorizeRequests().anyRequest().authenticated();

最后,在允许访问登录 html/js 并调用表单配置应用程序之后。

我不清楚的是为什么使用 and() 并将所有调用链接在一起有效,但将这些调用分解为对 httpSecurity 的调用需要不同的顺序。

文档中的注释可能会帮助解决相同问题的其他人。

【讨论】:

以上是关于在使用 Spring Security 3.2.0 保护应用程序并提供 javascript 文件时,如何设置内容类型标头?的主要内容,如果未能解决你的问题,请参考以下文章

使用 Spring Security 3.2.0.RELEASE,如何在没有标签库的纯 HTML 页面中获取 CSRF 令牌

CharacterEncodingFilter 不能与 Spring Security 3.2.0 一起使用

spring security 3.2.0 csrf 令牌在 freemarker 模板中不起作用

Spring security 3.2.0 RC1 csrf with multipart/form-data

Maven:Spring 4 + Spring Security

Spring Security 应用程序中的 Sitemesh 未装饰自定义错误页面