春季安全+休息不起作用
Posted
技术标签:
【中文标题】春季安全+休息不起作用【英文标题】:spring security + rest doesn't work 【发布时间】:2017-03-08 01:20:42 【问题描述】:我已经配置了所有属性,但是我的应用仍然在没有弹簧安全的情况下加载,就好像它不存在一样......请帮助我,我做错了什么。
我在这里得到我的房间,没有邮递员的身份验证:
以下是我的课程:
安全配置:
package com.vidaflo.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
@Configuration
@EnableWebSecurity
@ComponentScan("com.vidaflo")
public class SecurityConfiguration extends WebSecurityConfigurerAdapter
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception
auth.inMemoryAuthentication().withUser("bill").password("abc123").roles("ADMIN");
auth.inMemoryAuthentication().withUser("tom").password("abc123").roles("USER");
@Override
protected void configure(HttpSecurity http) throws Exception
http.csrf().disable()
.authorizeRequests().antMatchers("/room/**").hasRole("ADMIN")
.and()
.httpBasic()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
SecurityInitializer:
package com.vidaflo.config;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class SecurityInitializer extends AbstractSecurityWebApplicationInitializer
网页配置:
package com.vidaflo.config;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport;
@Configuration
@EnableWebMvc
@ComponentScan(basePackages = "com.vidaflo.controllers")
public class WebConfiguration extends WebMvcConfigurationSupport
Tomcat 嵌入:
package com.vidaflo.server;
import com.vidaflo.config.ApplicationConfiguration;
import com.vidaflo.config.DatabaseConfiguration;
import com.vidaflo.config.SecurityConfiguration;
import com.vidaflo.config.WebConfiguration;
import lombok.extern.slf4j.Slf4j;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.startup.Tomcat;
import org.springframework.core.env.PropertiesPropertySource;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
import org.springframework.web.servlet.DispatcherServlet;
@Slf4j
public class Application
private static final String APPLICATION_PROPERTIES = System.getProperty("app.properties");
private static final int DEFAULT_PORT = 8080;
private static final String DEFAULT_CONTEXT_PATH = "/app";
private AppProperties appProperties;
private AnnotationConfigWebApplicationContext ctx;
public static void main(String[] args) throws LifecycleException
Application app = new Application(APPLICATION_PROPERTIES);
Server server = new TomcatServer(new Tomcat());
app.run(server);
public Application(String fieldName)
loadProperties(fieldName);
public void run(Server server)
initApplicationContext();
server.run(getConfig());
private void loadProperties(String fieldName)
appProperties = new AppProperties();
appProperties.load(fieldName);
private void initApplicationContext()
log.info("Initialize application context...");
ctx = new AnnotationConfigWebApplicationContext();
ctx.register(SecurityConfiguration.class);
ctx.register(ApplicationConfiguration.class);
ctx.register(WebConfiguration.class);
ctx.register(DatabaseConfiguration.class);
ctx.getEnvironment()
.getPropertySources()
.addLast(new PropertiesPropertySource("applicationEnvironment", appProperties.getProperties()));
private ServerConfig getConfig()
ServerConfig serverConfig = new ServerConfig();
serverConfig.setPort(appProperties.getPort(DEFAULT_PORT));
serverConfig.setContextPath(appProperties.getContextPath(DEFAULT_CONTEXT_PATH));
serverConfig.setServlet(getServlet());
return serverConfig;
private DispatcherServlet getServlet()
return new DispatcherServlet(ctx);
休息控制器:
package com.vidaflo.controllers;
import com.vidaflo.dto.RoomDto;
import com.vidaflo.model.location.Room;
import com.vidaflo.repositories.LocationRepository;
import com.vidaflo.services.RoomService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
import java.util.List;
import java.util.stream.Collectors;
@RestController
public class RoomController
@Autowired
private RoomService roomService;
@Autowired
private LocationRepository locationService;
@PostMapping("/room/save")
public String save(@RequestParam(name = "name") String name,
@RequestParam(name = "location_id") Long locationId)
roomService.save(name, locationService.findOne(locationId));
return "room added";
@GetMapping("/room/all")
public List<RoomDto> findAll()
return roomService.findAll().stream()
.map(this::toDto)
.collect(Collectors.toList());
private RoomDto toDto(Room room)
return RoomDto.builder()
.id(room.getId())
.name(room.getName())
.build();
请告诉我是否应该添加其他详细信息。我确实需要帮助,但我不明白自己做错了什么。
【问题讨论】:
@KimAragonEscobar 是的,我已经尝试过"/**"
和很多其他方法,但它仍然不起作用
我将@Secured("ROLE_ADMIN")
(我也尝试过@Secured("ADMIN")
)添加到控制器方法,并将@EnableGlobalMethodSecurity(securedEnabled = true)
添加到SecurityConfiguration 类,但现在我有一个异常security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
;(
【参考方案1】:
找到答案,我们应该像这样在tomcat嵌入式配置中手动添加spring security过滤器:
FilterDef filterDef = new FilterDef();
filterDef.setFilterName("springSecurityFilterChain");
filterDef.setFilterClass("org.springframework.web.filter.DelegatingFilterProxy");
container.addFilterDef(filterDef);
FilterMap filterMapping = new FilterMap();
filterMapping.setFilterName("springSecurityFilterChain");
filterMapping.addURLPattern("/*");
container.addFilterMap(filterMapping);
【讨论】:
【参考方案2】:尝试在configureGlobalSecurity方法和枚举“Roles”中将角色“ADMIN”“USER”更改为“ROLE_ADMIN”“ROLE_USER”,但在configure方法中不要更改。
【讨论】:
我们不能在configure global security method
中使用前缀为 ROLE_
的角色。好吧,我试过了,有异常:`ROLE_ADMIN 不能以 ROLE_ 开头(它是自动添加的)以上是关于春季安全+休息不起作用的主要内容,如果未能解决你的问题,请参考以下文章