spring - 防止spring security通过引用访问实体
问题描述
我的问题是 react 沿着不同的路径发出请求以获取 css、js、图像等,而 spring 阻止它们并返回 401。如果您明确指定路径,一切正常。工作设置:
http.cors().and().csrf().disable()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.antMatchers("/admin").hasRole("ADMIN")
.antMatchers("/").permitAll()
.antMatchers("/favicon.ico").permitAll()
.antMatchers("/static/**").permitAll()
.antMatchers("/manifest.json").permitAll()
.antMatchers("/logo192.png").permitAll()
.antMatchers("/api/auth/**").permitAll()
.antMatchers("/api/test/**").permitAll()
.anyRequest().authenticated();
我想通过手动输入沿路径的每个可加载对象来解决问题。如果我在spring security设置中设置了值“/**”,那么用户就可以从数据库中接收到所有表的json,例如localhost访问打开users表:localhost:8080/users显示列表json 格式的用户数,以及 Spring MVC Config 的其余表
@Configuration
public class MvcSecurityConfig implements WebMvcConfigurer {
@Value("${path.frontend}")
private String frontendPath;
@Value("${frontendStaticResourcesPathPatterns}")
private String[] frontendStaticResourcesPathPatterns;
private static final String BASE_API_PATH = "/";
public void addResourceHandlers(ResourceHandlerRegistry registry){
String pathToFrontend = "file:" + this.frontendPath;
String pathToIndexHTML = pathToFrontend + "/index.html";
registry
.addResourceHandler(frontendStaticResourcesPathPatterns)
.setCachePeriod(0)
.addResourceLocations(pathToFrontend);
registry.addResourceHandler("/", "/**")
.setCachePeriod(0)
.addResourceLocations(pathToIndexHTML)
.resourceChain(true)
.addResolver(new PathResourceResolver() {
@Override
protected Resource getResource(String resourcePath, Resource location) throws IOException {
if (resourcePath.startsWith(BASE_API_PATH) || resourcePath.startsWith(BASE_API_PATH.substring(1))) {
return null;
}
return location.exists() && location.isReadable() ? location : null;
}
});
}
}
春季安全配置
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailsServiceImpl userDetailsService;
@Autowired
private AuthEntryPointJwt unauthorizedHandler;
@Bean
public AuthTokenFilter authenticationJwtTokenFilter() {
return new AuthTokenFilter();
}
@Override
public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.antMatchers("/admin").hasRole("ADMIN")
.antMatchers("/").permitAll()
.antMatchers("/api/auth/**").permitAll()
.antMatchers("/api/test/**").permitAll()
.anyRequest().authenticated();
http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
解决方案
推荐阅读
- coq - 是否可以将上下文模式转换为 Gallina 函数?
- python - 隔离林大数据集
- vue.js - 为什么 Flask 不与 VueJS `npm run serve` 前端保持会话?
- c# - 为什么 SQL Server 2017 CU18 在更新和插入命令(C# 应用程序、docker、debian 9/10)上比 CU3 慢得多?
- assembly - 示例:如何在组装中打开 STM32 上的 LED2?
- batch-file - 使用基本命令时批处理文件运行速度极慢
- python - Python如何检查除某些值外是否为字母数字
- google-compute-engine - 重启后无法连接到实例
- go - 在给定范围内生成随机 128 位小数
- javascript - 如何将字符串中被误解的 UTF-8 实例(例如 ’)转换为正确的字符?