使用Spring引導的安全配置

Question

我爲Spring-Boot創建了一個Spring Security配置類。我的登錄頁面有資源css，js和ico文件。由於安全原因資源被拒絕，並且每次都重定向到登錄頁面。爲什麼EnableWebMVCSecurity不添加Classpath資源位置。在第二個片段中更改代碼後，添加I Classpath資源位置。不明白我缺少的第一個代碼片段中的資源。

@Configuration 

/* 
* Enable Spring Security’s web security support and provide the Spring MVC integration 
* It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration. 
*/ 
@EnableWebMvcSecurity 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

/** 
* The configure(HttpSecurity) method defines with URL paths should be 
    * secured and which should not. 
    */ 
    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http 
     .authorizeRequests() 
      .anyRequest().authenticated(); 

//  There is a custom "/login" page specified by loginPage(), and everyone 
//  is allowed to view it.  
     http 
      .formLogin() 
       .loginPage("/login.html") 
       .permitAll() 
       .and() 
      .logout() 
       .permitAll().logoutSuccessUrl("/login.html"); 
    } 

    @Configuration 
    protected static class AuthenticationConfiguration extends 
      GlobalAuthenticationConfigurerAdapter { 
     @Override 
     public void init(AuthenticationManagerBuilder auth) throws Exception { 
//   As for the configure(AuthenticationManagerBuilder) method, it sets up 
//   an in-memory user store with a single user. That user is given a 
//   username of "user", a password of "password", and a role of "USER". 
      auth 
        .inMemoryAuthentication() 
        .withUser("user@domain.com").password("password").roles("USER"); 
     } 
    } 

我得到這個工作，通過改變代碼

@Configuration 
/* 
* Enable Spring Security’s web security support and provide the Spring MVC integration 
* It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration. 
*/ 
public class WebSecurityConfig{ 

    @Bean 
    public ApplicationSecurity applicationSecurity() { 
     return new ApplicationSecurity(); 
    } 

    @Bean 
    public AuthenticationSecurity authenticationSecurity() { 
     return new AuthenticationSecurity(); 
    } 

    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) 
    protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter { 
     @Override 
     protected void configure(HttpSecurity http) throws Exception { 
      http 
      .authorizeRequests() 
       .anyRequest().authenticated(); 
      http 
       .formLogin() 
        .loginPage("/login.html") 
        .permitAll() 
        .and() 
       .logout() 
        .permitAll().logoutSuccessUrl("/login.html"); 

     } 
    } 

    @Order(Ordered.HIGHEST_PRECEDENCE + 10) 
    protected static class AuthenticationSecurity extends 
      GlobalAuthenticationConfigurerAdapter { 
     @Override 
     public void init(AuthenticationManagerBuilder auth) throws Exception { 
      auth 
      .inMemoryAuthentication() 
      .withUser("user@domain.com").password("password").roles("USER"); 

     } 
    } 
} 

改變我注意到，忽略路徑添加到過濾器的代碼後，我看到在日誌中的以下內容：

 
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain  : Creating filter chain: Ant [pattern='/css/**'], [] 
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain  : Creating filter chain: Ant [pattern='/js/**'], [] 
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain  : Creating filter chain: Ant [pattern='/images/**'], [] 
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain  : Creating filter chain: Ant [pattern='/**/favicon.ico'], [] 
[ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain  : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4e3e0069, org.springframework.security.web.context.SecurityContextPersistenceFilter@3d2dd0cf, org.springframework.security.web.header.HeaderWriterFilter@33fc3b02, org.springframework.security.web.csrf.CsrfFilter@9b7a3ac, org.springframework.security.web.authentication.logout.LogoutFilter@267237ef, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@129495ef, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@7db0a467, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@764d1dbd, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@25a5268d, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@15c01d0c, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@37818a3b, org.springframework.security.web.session.SessionManagementFilter@3fe57e49, org.springframework.security.web.access.ExceptionTranslationFilter@4278af59, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@424bef91] 

Answer 1

根據docs，您已使用@EnableWebSecurity禁用了第一個示例中的彈簧引導自動配置，因此您必須明確忽略所有的sta手動抽取資源。在第二個示例中，您只需提供一個WebSecurityConfigurer，這是在默認自動配置之上添加的。

Answer 2

創建配置文件擴展WebSecurityConfigurerAdapter和註釋類@EnableWebSecurity

您可以覆蓋像configure(HttpSecurity http)方法來添加基本的安全像下面

@Configuration 
@EnableWebSecurity 
public class AppWebSecurityConfigurer extends WebSecurityConfigurerAdapter { 
    @Override 
    protected void configure(HttpSecurity http) throws Exception {  
     http 
      .csrf().disable() 
      .authorizeRequests() 
       .anyRequest().permitAll(); 
     } 
}