我无法让 requestMatchers 正常工作。
如果我尝试向前任提出请求。 (localhost:8080/backend/api/general/testError),它返回 403 错误,而在 Spring Boot 中同样的请求:
2.7.X
不要。
如果我将
.anyRequest().authenticated()
更改为 .anyRequest().permitAll()
它就像一个魅力,但不是改变认证方式的想法。
正如我所说,相同的代码在 Spring Boot 上运行
2.7.X
.
此外,在 Spring boot 上测试:
3.0.4
、3.0.7
、3.1.0
.
以下代码是SecurityFilterChain
filterChain
Bean定义:
@Configuration
@EnableWebSecurity
@EnableMethodSecurity(
securedEnabled = true, // ...
prePostEnabled = true // para poder usar PreAuthorize (Seguridad por roles)
)
public class WebConfig implements WebMvcConfigurer {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
Boolean isProduction = true;
try {
isProduction = !env.getProperty("dataSource.url").contains("DESA");
} catch (Exception ex) {
/**
* Ante un fallo aplicamos la seguridad de producci�n
*/
isProduction = true;
}
http
.sessionManagement(session ->
session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
)
.csrf(csrf-> csrf.disable())
.cors(withDefaults())
.authorizeHttpRequests(request -> request
.requestMatchers(HttpMethod.POST,
"/actuator/**",
"/api/general/**",
"/api/digesto/documentos/getDigestoDocumentBits/**")
.permitAll()
.anyRequest()
.authenticated()
)
.authenticationProvider(authProvider)
.addFilter(new JwtAuthenticationFilter(authenticationManager(http.getSharedObject(AuthenticationConfiguration.class))))
.addFilter(new JwtAuthorizationFilter(authenticationManager(http.getSharedObject(AuthenticationConfiguration.class)), isProduction));
return http.build();
}
稍微调试一下来自控制台的消息,我们可以看到一些有趣的东西:
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:245 - Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@5f0c5384, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@3805707d, org.springframework.security.web.context.SecurityContextHolderFilter@32764446, org.springframework.security.web.header.HeaderWriterFilter@6420c7d6, org.springframework.web.filter.CorsFilter@283de1da, org.springframework.security.web.authentication.logout.LogoutFilter@193bd24, bknd.Siam.Beans.JwtAuthenticationFilter@77464808, bknd.Siam.Beans.JwtAuthorizationFilter@4aeba517, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1061711c, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1d0c4031, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@597eb2af, org.springframework.security.web.session.SessionManagementFilter@5b9ea973, org.springframework.security.web.access.ExceptionTranslationFilter@1f21993c, org.springframework.security.web.access.intercept.AuthorizationFilter@2dcb65e]] (1/1)
[2023-05-19 09:24:19][DEBUG] org.springframework.security.web.FilterChainProxy:223 - Securing POST /error
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking DisableEncodeUrlFilter (1/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking WebAsyncManagerIntegrationFilter (2/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking SecurityContextHolderFilter (3/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking HeaderWriterFilter (4/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking CorsFilter (5/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking LogoutFilter (6/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.authentication.logout.LogoutFilter:121 - Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking JwtAuthenticationFilter (7/14)
[2023-05-19 09:24:19][TRACE] bknd.Siam.Beans.JwtAuthenticationFilter:271 - Did not match request to Ant [pattern='/api/general/login']
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking JwtAuthorizationFilter (8/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking RequestCacheAwareFilter (9/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking SecurityContextHolderAwareRequestFilter (10/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking AnonymousAuthenticationFilter (11/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking SessionManagementFilter (12/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking ExceptionTranslationFilter (13/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking AuthorizationFilter (14/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager:71 - Authorizing SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@4dea265c]]
[2023-05-19 09:24:19][TRACE] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:416 - 2 matching mappings: [{ [/error]}, { [/error], produces [text/html]}]
[2023-05-19 09:24:19][TRACE] org.springframework.beans.factory.support.DefaultListableBeanFactory:256 - Returning cached instance of singleton bean 'basicErrorController'
[2023-05-19 09:24:19][TRACE] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:525 - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
[2023-05-19 09:24:19][TRACE] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:416 - 2 matching mappings: [{ [/error]}, { [/error], produces [text/html]}]
[2023-05-19 09:24:19][TRACE] org.springframework.beans.factory.support.DefaultListableBeanFactory:256 - Returning cached instance of singleton bean 'basicErrorController'
[2023-05-19 09:24:19][TRACE] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:525 - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
[2023-05-19 09:24:19][TRACE] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:416 - 2 matching mappings: [{ [/error]}, { [/error], produces [text/html]}]
[2023-05-19 09:24:19][TRACE] org.springframework.beans.factory.support.DefaultListableBeanFactory:256 - Returning cached instance of singleton bean 'basicErrorController'
[2023-05-19 09:24:19][TRACE] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:525 - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager:80 - Checking authorization on SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@4dea265c]] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@6c2926cb
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.context.SupplierDeferredSecurityContext:72 - Created SecurityContextImpl [Null authentication]
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.authentication.AnonymousAuthenticationFilter:116 - Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.access.ExceptionTranslationFilter:194 - Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied
org.springframework.security.access.AccessDeniedException: Access Denied
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:98)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:91)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:85)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82)
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:321)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:222)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:642)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:410)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:340)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:277)
at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:358)
at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:222)
at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:304)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:149)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:894)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:833)
[2023-05-19 09:24:19][DEBUG] org.springframework.security.web.authentication.Http403ForbiddenEntryPoint:57 - Pre-authenticated entry point called. Rejecting access
[2023-05-19 09:24:19][TRACE] org.springframework.boot.web.servlet.filter.OrderedRequestContextFilter:105 - Cleared thread-bound request context: org.apache.catalina.core.ApplicationHttpRequest@4dea265c
阅读控制台,我能发现
anyRequest()
正在乘坐 api/general
路径,不管它是否有排斥。
看了很多书,还是找不到确切的解决办法,求大神指教!
我尝试了很多实现 requestMatchers 的方法,也尝试了在 Stackoverflow 中找到的一些解决方案,但没有一个适合我。
我期待找到解决我遇到的问题的方法。
请仔细检查控制器中的 url 是否正确(没有尾部斜杠)。自 3.0
localhost:8080/backend/api/general/testError
和
localhost:8080/backend/api/general/testError/
匹配器不一样,会导致404错误。 因为你不允许 /error 你得到 403.
可能这就是原因,但没有更多细节很难说。