自 3.0.4 以来 Spring Boot 中 requestMatchers 的问题

问题描述 投票:0回答:1

我无法让 requestMatchers 正常工作。

如果我尝试向前任提出请求。 (localhost:8080/backend/api/general/testError),它返回 403 错误,而在 Spring Boot 中同样的请求:

2.7.X
不要。

如果我将

.anyRequest().authenticated()
更改为
.anyRequest().permitAll()
它就像一个魅力,但不是改变认证方式的想法。

正如我所说,相同的代码在 Spring Boot 上运行

2.7.X
.

此外,在 Spring boot 上测试:

3.0.4
3.0.7
3.1.0
.

以下代码是SecurityFilterChain

filterChain
Bean定义:


@Configuration
@EnableWebSecurity
@EnableMethodSecurity(
        securedEnabled = true, // ...
        prePostEnabled = true // para poder usar PreAuthorize (Seguridad por roles)
)
public class WebConfig implements WebMvcConfigurer {


    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        Boolean isProduction = true;

        try {
            isProduction = !env.getProperty("dataSource.url").contains("DESA");
        } catch (Exception ex) {
            /**
             * Ante un fallo aplicamos la seguridad de producci�n
             */
            isProduction = true;
        }

        http
            .sessionManagement(session ->
                    session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            )
            .csrf(csrf-> csrf.disable())
            .cors(withDefaults())
            .authorizeHttpRequests(request -> request
                .requestMatchers(HttpMethod.POST,
                        "/actuator/**",
                        "/api/general/**", 
                        "/api/digesto/documentos/getDigestoDocumentBits/**")
                .permitAll()

                .anyRequest()
                .authenticated()
            )
            .authenticationProvider(authProvider)
            .addFilter(new JwtAuthenticationFilter(authenticationManager(http.getSharedObject(AuthenticationConfiguration.class))))
            .addFilter(new JwtAuthorizationFilter(authenticationManager(http.getSharedObject(AuthenticationConfiguration.class)), isProduction));

        return http.build();
    }

稍微调试一下来自控制台的消息,我们可以看到一些有趣的东西:

[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:245 - Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@5f0c5384, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@3805707d, org.springframework.security.web.context.SecurityContextHolderFilter@32764446, org.s[email protected], [email protected], org.springfra[email protected], [email protected], [email protected], org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1061711c, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1d0c4031, org.springframework.security.web.authentication.Anonymou[email protected], org.springframework.security.web.session.SessionManagementFilter@5b9ea973, org.springframework.security.web.access.ExceptionTranslationFilter@1f21993c, org.springframework.security.web.access.intercept.AuthorizationFilter@2dcb65e]] (1/1)
[2023-05-19 09:24:19][DEBUG] org.springframework.security.web.FilterChainProxy:223 - Securing POST /error
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking DisableEncodeUrlFilter (1/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking WebAsyncManagerIntegrationFilter (2/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking SecurityContextHolderFilter (3/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking HeaderWriterFilter (4/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking CorsFilter (5/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking LogoutFilter (6/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.authentication.logout.LogoutFilter:121 - Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking JwtAuthenticationFilter (7/14)
[2023-05-19 09:24:19][TRACE] bknd.Siam.Beans.JwtAuthenticationFilter:271 - Did not match request to Ant [pattern='/api/general/login']
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking JwtAuthorizationFilter (8/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking RequestCacheAwareFilter (9/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking SecurityContextHolderAwareRequestFilter (10/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking AnonymousAuthenticationFilter (11/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking SessionManagementFilter (12/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking ExceptionTranslationFilter (13/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.FilterChainProxy:133 - Invoking AuthorizationFilter (14/14)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager:71 - Authorizing SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ [email protected]]]
[2023-05-19 09:24:19][TRACE] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:416 - 2 matching mappings: [{ [/error]}, { [/error], produces [text/html]}]
[2023-05-19 09:24:19][TRACE] org.springframework.beans.factory.support.DefaultListableBeanFactory:256 - Returning cached instance of singleton bean 'basicErrorController'
[2023-05-19 09:24:19][TRACE] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:525 - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
[2023-05-19 09:24:19][TRACE] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:416 - 2 matching mappings: [{ [/error]}, { [/error], produces [text/html]}]
[2023-05-19 09:24:19][TRACE] org.springframework.beans.factory.support.DefaultListableBeanFactory:256 - Returning cached instance of singleton bean 'basicErrorController'
[2023-05-19 09:24:19][TRACE] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:525 - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
[2023-05-19 09:24:19][TRACE] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:416 - 2 matching mappings: [{ [/error]}, { [/error], produces [text/html]}]
[2023-05-19 09:24:19][TRACE] org.springframework.beans.factory.support.DefaultListableBeanFactory:256 - Returning cached instance of singleton bean 'basicErrorController'
[2023-05-19 09:24:19][TRACE] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:525 - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager:80 - Checking authorization on SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.Application[email protected]]] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@6c2926cb
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.context.SupplierDeferredSecurityContext:72 - Created SecurityContextImpl [Null authentication]
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.authentication.AnonymousAuthenticationFilter:116 - Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
[2023-05-19 09:24:19][TRACE] org.springframework.security.web.access.ExceptionTranslationFilter:194 - Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied
org.springframework.security.access.AccessDeniedException: Access Denied
    at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:98)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:91)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:85)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
    at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82)
    at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:225)
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:238)
    at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:321)
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:222)
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:135)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:642)
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:410)
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:340)
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:277)
    at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:358)
    at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:222)
    at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:304)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:149)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:894)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:833)
[2023-05-19 09:24:19][DEBUG] org.springframework.security.web.authentication.Http403ForbiddenEntryPoint:57 - Pre-authenticated entry point called. Rejecting access
[2023-05-19 09:24:19][TRACE] org.springframework.boot.web.servlet.filter.OrderedRequestContextFilter:105 - Cleared thread-bound request context: [email protected]

阅读控制台,我能发现

anyRequest()
正在乘坐
api/general
路径,不管它是否有排斥。

看了很多书,还是找不到确切的解决办法,求大神指教!

我尝试了很多实现 requestMatchers 的方法,也尝试了在 Stackoverflow 中找到的一些解决方案,但没有一个适合我。

我期待找到解决我遇到的问题的方法。

java spring spring-boot spring-security
1个回答
0
投票

请仔细检查控制器中的 url 是否正确(没有尾部斜杠)。自 3.0

localhost:8080/backend/api/general/testError

localhost:8080/backend/api/general/testError/

匹配器不一样,会导致404错误。 因为你不允许 /error 你得到 403.

可能这就是原因,但没有更多细节很难说。

同样的问题

相关问题

springboot 3.0.4/3.0.5 中的 prometheus 端点

Spring Boot 3.0.4 拒绝访问没有 PreAuthorize 注释的控制器

升级到 spring boot 3 后,我所有的 mockMvc 测试都返回 403

.requestMatchers("/").hasAnyAuthority("admin", "staff").anyRequest().authenticated() 不给我权限

Spring boot 依赖注入不适用于子类,值未在调用时初始化

Spring Boot 2.7.5 和 Spring Security 6.0.2

在 spring boot 中从 freemaker 获取“以下已评估为空或缺失”

在 Spring Boot 3 中使用 Micrometer Tracing 时如何通过属性设置自定义标签

@NoRepositoryBean 存储库 Spring Boot 中自定义方法的通用实现

Spring Boot Jetty 3.0.5 关闭 JNDI

spring boot中Express服务器和嵌入式服务器的区别

存储库/实体的 Spring Boot 错误,“不是托管类型”

如何避免在返回 JSON 字符串列表的 Spring REST 控制器响应中转义字符?

Spring Boot 项目中自定义 ObjectMapper 配置的自动装配

自定义 WebTestClient 以添加默认标头

有没有一种方法可以使用 Spring Kafka 从给定的 kafka 主题中检索消费者延迟?

有没有一种方法可以发送包含在 Spring Integration FTP 中收到的所有文件(作为 Zip)的邮件,而不是根据收到的消息单独发送文件

Stomp-ActiveMQ 与 Spring Boot 的连接问题

具有默认的 Spring Security 自动配置,所有请求都受到保护,但有可能排除端点

热门问答
最新问题