下面是根据新的 Spring Security 6 / Spring boot 3 文档创建的 SecurityFilterChain bean。请告诉我这是预期的结果还是有问题。
代码:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration {
@Autowired
private DomainUserDetailsService domainUserDetailsService;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationManager authenticationManager(UserDetailsService userDetailsService, PasswordEncoder passwordEncoder) {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(domainUserDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder);
return new ProviderManager(authenticationProvider);
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable())
.headers(headers ->
headers
.contentSecurityPolicy(csp ->
csp.policyDirectives("default-src 'self' data:;" +
"style-src 'self' maxcdn.bootstrapcdn.com getbootstrap.com 'unsafe-inline';"))
.frameOptions(frameOptionsConfig -> frameOptionsConfig.deny())
.permissionsPolicy(permissions ->
permissions.policy(
"fullscreen=(self), geolocation=(), microphone=(), camera=()"
)
)
)
.authorizeHttpRequests(authorizations ->
authorizations
.requestMatchers("/healthcheck", "/index", "/login", "/register/**", "/h2").permitAll()
.requestMatchers(HttpMethod.GET, "/players/**").hasAuthority("ROLE_USER")
.requestMatchers(HttpMethod.PUT, "/players/**").hasAuthority("ROLE_ADMIN")
.requestMatchers(HttpMethod.POST, "/players/**").hasAuthority("ROLE_ADMIN")
.requestMatchers(HttpMethod.DELETE, "/players/**").hasAuthority("ROLE_ADMIN")
.anyRequest().authenticated()
)
.formLogin(form ->
form.defaultSuccessUrl("/swagger-ui/index.html#/", true)
);
return http.build();
}
}
@Configuration
public class SecurityBeansConfiguration {
@Bean
BCryptPasswordEncoder getBCE() {
return new BCryptPasswordEncoder();
}
}
@RestController
public class UserEntityController {
@Autowired
UserRepository userRep;
@Autowired
UserEntityService userService;
@Autowired
UserEntityMapper userEntityMapper;
@GetMapping("/index")
public String home() {
return "index";
}
@GetMapping("/login")
public String loginForm() {
return "login";
}
// handler method to handle register user form submit request
@PostMapping("/register/save")
public String registration(@Valid @ModelAttribute("user") UserEntityDto user,
BindingResult result,
Model model) throws LoginAlreadyExistsException {
UserEntityDto existing = userService.findUserByLastname(user.getLastName());
if (existing != null) {
result.rejectValue("email", null, "There is already an account registered with that email");
}
if (result.hasErrors()) {
model.addAttribute("user", user);
return "register";
}
userService.saveUser(user);
return "redirect:/register?success";
}
应用程序.属性
spring.datasource.url=jdbc:h2:mem:tennis_db
spring.datasource.driverClassName=org.h2.Driver
spring.datasource.username=sa
spring.datasource.password=password
spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
spring.h2.console.enabled=true
spring.h2.console.path=/h2
##############################
spring.jpa.generate-ddl=true
spring.jpa.open-in-view=false
server.port=8081
我知道的每个端点,例如 http://localhost:8081/h2 或 http://localhost:8081/register 总是将我重定向到 http://localhost:8081/login,并使用 spring 登录名和密码形式安全
我该怎么办,但我在 /h2、/register/**、... 上申请了 Permitall
我建议按照@marcusdacoregio的建议修改代码 (Marcus Hert Da Coregio)因此。参考:https://github.com/spring-projects/spring-security/issues/14011
@Bean
public SecurityFilterChain filterChain( HttpSecurity http , MvcRequestMatcher.Builder mvc) throws Exception {
http
.csrf(csrf -> csrf.disable())
.headers(headers ->
headers
.contentSecurityPolicy(csp ->
csp.policyDirectives("default-src 'self' data:;" +
"style-src 'self' maxcdn.bootstrapcdn.com getbootstrap.com 'unsafe-inline';"))
.frameOptions(frameOptionsConfig -> frameOptionsConfig.deny())
.permissionsPolicy(permissions ->
permissions.policy(
"fullscreen=(self), geolocation=(), microphone=(), camera=()"
)
)
)
.authorizeHttpRequests(auth ->
auth
.requestMatchers(HttpMethod.GET, "/players/**").hasAuthority("ROLE_USER")
.requestMatchers(HttpMethod.PUT, "/players/**").hasAuthority("ROLE_ADMIN")
.requestMatchers(HttpMethod.POST, "/players/**").hasAuthority("ROLE_ADMIN")
.requestMatchers(HttpMethod.DELETE, "/players/**").hasAuthority("ROLE_ADMIN")
)
.authorizeHttpRequests(auth ->
auth
.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll()
.requestMatchers(mvc.pattern("/healthcheck"), mvc.pattern("/index"), mvc.pattern("/login"), mvc.pattern("/register/**"), mvc.pattern("/h2")).permitAll()
.anyRequest().authenticated()
)
.formLogin(form ->
form.defaultSuccessUrl("/swagger-ui/index.html#/", true))
return http.build();
}
@Scope("prototype")
@Bean
MvcRequestMatcher.Builder mvc(HandlerMappingIntrospector introspector) {
return new MvcRequestMatcher.Builder(introspector);
}