在使用 Spring Security 3.2.0 保护应用程序并提供 javascript 文件时,如何设置内容类型标头?
Posted
技术标签:
【中文标题】在使用 Spring Security 3.2.0 保护应用程序并提供 javascript 文件时,如何设置内容类型标头?【英文标题】:How can I set the content type header when securing an application with Spring Security 3.2.0 and serving javascript files? 【发布时间】:2014-02-22 02:45:46 【问题描述】:我有一些 js 文件通过码头服务器和 spring security (3.2.0) 提供给 Chrome。
自从添加了 Spring Security 后,浏览器现在抱怨脚本加载为 text/html 而不是 application/javascript。如何配置我的 WebSecurityConfigurerAdapter 以正确设置 mime 类型?
我的配置如下所示:
@Autowired
public void configureGlobal( AuthenticationManagerBuilder authBuilder ) throws Exception
LOGGER.info( "configureGlobal()" );
DaoAuthenticationConfigurer<AuthenticationManagerB uilder, UserDetailsServiceImpl> userServiceConfigurer = authBuilder.userDetailsService(
new UserDetailsServiceImpl() );
// TODO temporary until we get angular to play well with the required csrf token.
HttpSecurity httpSecurity = getHttp();
httpSecurity.csrf().disable();
ExpressionUrlAuthorizationConfigurer<HttpSecurity> .ExpressionInterceptUrlRegistry interceptUrlRegistry = httpSecurity.authorizeRequests();
interceptUrlRegistry.anyRequest().authenticated();
httpSecurity.authorizeRequests().antMatchers( "/unsecure/**" ).permitAll();
httpSecurity.authorizeRequests().antMatchers( HttpMethod.GET, "/lib/**" ).permitAll();
FormLoginConfigurer<HttpSecurity> formLoginConfigurer = httpSecurity.formLogin();
formLoginConfigurer.loginPage( "/unsecure/login.html" ).permitAll();
Chrome 控制台中的错误是:
Resource interpreted as Stylesheet but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:18
Resource interpreted as Script but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:31
Resource interpreted as Script but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:28
Resource interpreted as Script but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:33
Resource interpreted as Script but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:30
Resource interpreted as Stylesheet but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:9
Refused to execute script from 'http://localhost:8080/maggie/lib/boo...otstrap.min.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. login.html:1
Refused to execute script from 'http://localhost:8080/maggie/lib/angular/angular.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. login.html:1
Refused to execute script from 'http://localhost:8080/maggie/lib/ang...gular-route.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. login.html:1
Refused to execute script from 'http://localhost:8080/maggie/unsecure/authenticate.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.
禁用标题(httpSecurity.headers().disable())
只是给了我一个不同的错误:
Resource interpreted as Stylesheet but transferred with MIME type text/html: "http://localhost:8080/maggie/unsecure/login.html". login.html:18
Uncaught SyntaxError: Unexpected token <
【问题讨论】:
默认情况下 Spring Security 不设置内容类型。请仔细检查禁用 Spring Security 是否不能解决问题。如果您仍有问题,请创建一个 JIRA。请注意,Spring Security 可以使用自定义标头响应和 DelegatingRequestMatcherHeaderWriter 设置内容类型。请参阅docs.spring.io/spring-securit...ingle/#headers 了解更多信息。但是,它可能应该是您使用的任何东西,它从设置内容类型的 jar 中提供资源。例如,Spring MVC 的资源支持会为您设置内容类型。 【参考方案1】:你可以参考这个answer。
而且,对于 javascript 文件,最好禁用它们的安全性:
@Override
public void configure(WebSecurity web) throws Exception
web.ignoring().antMatchers("/the_js_path/**");
【讨论】:
【参考方案2】:问题原来是对 httpSecurity 的调用排序。
当我输入时:
httpSecurity.authorizeRequests().anyRequest().authenticated();
最后,在允许访问登录 html/js 并调用表单配置应用程序之后。
我不清楚的是为什么使用 and() 并将所有调用链接在一起有效,但将这些调用分解为对 httpSecurity 的调用需要不同的顺序。
文档中的注释可能会帮助解决相同问题的其他人。
【讨论】:
以上是关于在使用 Spring Security 3.2.0 保护应用程序并提供 javascript 文件时,如何设置内容类型标头?的主要内容,如果未能解决你的问题,请参考以下文章