在使用 Spring Security 3.2.0 保护应用程序并提供 javascript 文件时，如何设置内容类型标头？

Posted 2023-02-26

【中文标题】在使用 Spring Security 3.2.0 保护应用程序并提供 javascript 文件时，如何设置内容类型标头？

【英文标题】：How can I set the content type header when securing an application with Spring Security 3.2.0 and serving javascript files?

【发布时间】：2014-02-22 02:45:46

【问题描述】：

我有一些 js 文件通过码头服务器和 spring security (3.2.0) 提供给 Chrome。

自从添加了 Spring Security 后，浏览器现在抱怨脚本加载为 text/html 而不是 application/javascript。如何配置我的 WebSecurityConfigurerAdapter 以正确设置 mime 类型？

我的配置如下所示：

@Autowired
public void configureGlobal( AuthenticationManagerBuilder authBuilder ) throws Exception

LOGGER.info( "configureGlobal()" );
DaoAuthenticationConfigurer<AuthenticationManagerB uilder, UserDetailsServiceImpl> userServiceConfigurer = authBuilder.userDetailsService(
new UserDetailsServiceImpl() );

// TODO temporary until we get angular to play well with the required csrf token.
HttpSecurity httpSecurity = getHttp();
httpSecurity.csrf().disable();

ExpressionUrlAuthorizationConfigurer<HttpSecurity> .ExpressionInterceptUrlRegistry interceptUrlRegistry = httpSecurity.authorizeRequests();
interceptUrlRegistry.anyRequest().authenticated();

httpSecurity.authorizeRequests().antMatchers( "/unsecure/**" ).permitAll();
httpSecurity.authorizeRequests().antMatchers( HttpMethod.GET, "/lib/**" ).permitAll();

FormLoginConfigurer<HttpSecurity> formLoginConfigurer = httpSecurity.formLogin();
formLoginConfigurer.loginPage( "/unsecure/login.html" ).permitAll();

Chrome 控制台中的错误是：

Resource interpreted as Stylesheet but transferred with MIME type text/html:     "http://localhost:8080/maggie/unsecure/login.html". login.html:18
Resource interpreted as Script but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:31
Resource interpreted as Script but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:28
Resource interpreted as Script but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:33
Resource interpreted as Script but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:30
Resource interpreted as Stylesheet but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:9
Refused to execute script from 'http://localhost:8080/maggie/lib/boo...otstrap.min.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. login.html:1
Refused to execute script from 'http://localhost:8080/maggie/lib/angular/angular.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. login.html:1
Refused to execute script from 'http://localhost:8080/maggie/lib/ang...gular-route.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. login.html:1
Refused to execute script from 'http://localhost:8080/maggie/unsecure/authenticate.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.

禁用标题(httpSecurity.headers().disable()) 只是给了我一个不同的错误：

Resource interpreted as Stylesheet but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:18
Uncaught SyntaxError: Unexpected token <

【问题讨论】：

默认情况下 Spring Security 不设置内容类型。请仔细检查禁用 Spring Security 是否不能解决问题。如果您仍有问题，请创建一个 JIRA。请注意，Spring Security 可以使用自定义标头响应和 DelegatingRequestMatcherHeaderWriter 设置内容类型。请参阅docs.spring.io/spring-securit...ingle/#headers 了解更多信息。但是，它可能应该是您使用的任何东西，它从设置内容类型的 jar 中提供资源。例如，Spring MVC 的资源支持会为您设置内容类型。

【参考方案1】：

你可以参考这个answer。

而且，对于 javascript 文件，最好禁用它们的安全性：

  @Override
  public void configure(WebSecurity web) throws Exception 
    web.ignoring().antMatchers("/the_js_path/**");
  

【参考方案2】：

问题原来是对 httpSecurity 的调用排序。

当我输入时：

httpSecurity.authorizeRequests().anyRequest().authenticated();

最后，在允许访问登录 html/js 并调用表单配置应用程序之后。

我不清楚的是为什么使用 and() 并将所有调用链接在一起有效，但将这些调用分解为对 httpSecurity 的调用需要不同的顺序。

文档中的注释可能会帮助解决相同问题的其他人。