春季安全+休息不起作用

Posted 2023-02-27

【中文标题】春季安全+休息不起作用

【英文标题】：spring security + rest doesn't work

【发布时间】：2017-03-08 01:20:42

【问题描述】：

我已经配置了所有属性，但是我的应用仍然在没有弹簧安全的情况下加载，就好像它不存在一样......请帮助我，我做错了什么。

我在这里得到我的房间，没有邮递员的身份验证：

以下是我的课程：

安全配置：

package com.vidaflo.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;

@Configuration
@EnableWebSecurity
@ComponentScan("com.vidaflo")
public class SecurityConfiguration extends WebSecurityConfigurerAdapter 

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception 
        auth.inMemoryAuthentication().withUser("bill").password("abc123").roles("ADMIN");
        auth.inMemoryAuthentication().withUser("tom").password("abc123").roles("USER");
    

    @Override
    protected void configure(HttpSecurity http) throws Exception 
        http.csrf().disable()
                .authorizeRequests().antMatchers("/room/**").hasRole("ADMIN")
                .and()
                .httpBasic()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    

SecurityInitializer：

package com.vidaflo.config;

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;

public class SecurityInitializer extends AbstractSecurityWebApplicationInitializer 

网页配置：

package com.vidaflo.config;

import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport;

@Configuration
@EnableWebMvc
@ComponentScan(basePackages = "com.vidaflo.controllers")
public class WebConfiguration extends WebMvcConfigurationSupport 

Tomcat 嵌入：

package com.vidaflo.server;

import com.vidaflo.config.ApplicationConfiguration;
import com.vidaflo.config.DatabaseConfiguration;
import com.vidaflo.config.SecurityConfiguration;
import com.vidaflo.config.WebConfiguration;
import lombok.extern.slf4j.Slf4j;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.startup.Tomcat;
import org.springframework.core.env.PropertiesPropertySource;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
import org.springframework.web.servlet.DispatcherServlet;

@Slf4j
public class Application 
    private static final String APPLICATION_PROPERTIES = System.getProperty("app.properties");
    private static final int DEFAULT_PORT = 8080;
    private static final String DEFAULT_CONTEXT_PATH = "/app";

    private AppProperties appProperties;
    private AnnotationConfigWebApplicationContext ctx;

    public static void main(String[] args) throws LifecycleException 
        Application app = new Application(APPLICATION_PROPERTIES);
        Server server = new TomcatServer(new Tomcat());
        app.run(server);
    

    public Application(String fieldName) 
        loadProperties(fieldName);
    

    public void run(Server server) 
        initApplicationContext();
        server.run(getConfig());
    

    private void loadProperties(String fieldName) 
        appProperties = new AppProperties();
        appProperties.load(fieldName);
    

    private void initApplicationContext() 
        log.info("Initialize application context...");

        ctx = new AnnotationConfigWebApplicationContext();
        ctx.register(SecurityConfiguration.class);
        ctx.register(ApplicationConfiguration.class);
        ctx.register(WebConfiguration.class);
        ctx.register(DatabaseConfiguration.class);
        ctx.getEnvironment()
            .getPropertySources()
            .addLast(new PropertiesPropertySource("applicationEnvironment", appProperties.getProperties()));
    

    private ServerConfig getConfig() 
        ServerConfig serverConfig = new ServerConfig();
        serverConfig.setPort(appProperties.getPort(DEFAULT_PORT));
        serverConfig.setContextPath(appProperties.getContextPath(DEFAULT_CONTEXT_PATH));
        serverConfig.setServlet(getServlet());
        return serverConfig;
    

    private DispatcherServlet getServlet() 
        return new DispatcherServlet(ctx);
    

休息控制器：

package com.vidaflo.controllers;

import com.vidaflo.dto.RoomDto;
import com.vidaflo.model.location.Room;
import com.vidaflo.repositories.LocationRepository;
import com.vidaflo.services.RoomService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

import java.util.List;
import java.util.stream.Collectors;

@RestController
public class RoomController 
    @Autowired
    private RoomService roomService;

    @Autowired
    private LocationRepository locationService;

    @PostMapping("/room/save")
    public String save(@RequestParam(name = "name") String name,
                       @RequestParam(name = "location_id") Long locationId) 
        roomService.save(name, locationService.findOne(locationId));
        return "room added";
    

    @GetMapping("/room/all")
    public List<RoomDto> findAll() 
        return roomService.findAll().stream()
                .map(this::toDto)
                .collect(Collectors.toList());
    

    private RoomDto toDto(Room room) 
        return RoomDto.builder()
                .id(room.getId())
                .name(room.getName())
                .build();
    

请告诉我是否应该添加其他详细信息。我确实需要帮助，但我不明白自己做错了什么。

【问题讨论】：

@KimAragonEscobar 是的，我已经尝试过"/**" 和很多其他方法，但它仍然不起作用

我将@Secured("ROLE_ADMIN")（我也尝试过@Secured("ADMIN")）添加到控制器方法，并将@EnableGlobalMethodSecurity(securedEnabled = true) 添加到SecurityConfiguration 类，但现在我有一个异常security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext ;(

【参考方案1】：

找到答案，我们应该像这样在tomcat嵌入式配置中手动添加spring security过滤器：

FilterDef filterDef = new FilterDef();
        filterDef.setFilterName("springSecurityFilterChain");
        filterDef.setFilterClass("org.springframework.web.filter.DelegatingFilterProxy");
        container.addFilterDef(filterDef);

        FilterMap filterMapping = new FilterMap();
        filterMapping.setFilterName("springSecurityFilterChain");
        filterMapping.addURLPattern("/*");
        container.addFilterMap(filterMapping);

【参考方案2】：

尝试在configureGlobalSecurity方法和枚举“Roles”中将角色“ADMIN”“USER”更改为“ROLE_ADMIN”“ROLE_USER”，但在configure方法中不要更改。

【讨论】：

我们不能在 configure global security method 中使用前缀为 ROLE_ 的角色。好吧，我试过了，有异常：`ROLE_ADMIN 不能以 ROLE_ 开头（它是自动添加的）