Spring Security 6: проблема с доступом к общедоступным URL-адресам

Question

Spring Security 6: проблема с доступом к общедоступным URL-адресам

Я использую Spring версию 3.0.5 и Spring Security версии 6.0.2, и столкнулся с проблемой доступа к общедоступным URL-адресам, которые я настроил через SecurityFilterChain. Я использую Spring MVC. Класс AppConfig ниже

      package com.test.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class AppConfig {

    @Bean
    protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

        http.csrf(csrf -> csrf.disable()).authorizeHttpRequests(
                auth -> auth.requestMatchers("/home").permitAll().anyRequest().authenticated());

        return http.build();
    }

}

Базовый контроллер выглядит следующим образом

      package com.test.controller;

import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;

@Controller
public class BasicController {

    @GetMapping("/home")
    public String showHome(Model model) {

        model.addAttribute("title", "Home Page");

        return "guest/home";
    }

    @GetMapping("/login")
    public String showLogin(Model model) {

        model.addAttribute("title", "Login Page");
        return "guest/loginPage";
    }

    @GetMapping("/user/index")
    public String getUserHome(Model model) {

        model.addAttribute("title", "User Home");

        return "user/home";
    }

}

Файл application.properties

      server.port=8100

spring.security.user.name=abcd
spring.security.user.password=xyz

logging.level.org.springframework.security=DEBUG

Ниже приведена моя HTML-страница, которая находится в шаблонах -> гость -> дома. У меня также есть базовый класс, о котором я не упоминаю.

      <!doctype html>
<html lang="en" xmlns:th="http://www.thymeleaf.org"
    th:replace="guest/base::layout(~{::section})">
<head>
<meta charset="UTF-8" />
<title>Home Page</title>
</head>
<body>
    <section>
        <span>I am in home page.</span>
    </section>
</body>
</html>

Наконец, я получаю следующую ошибку, когда нажимаю localhost:8100/home

      
[2m2023-04-01T06:18:27.012+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /home
[2m2023-04-01T06:18:27.013+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured GET /home
[2m2023-04-01T06:18:27.015+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /guest/home
[2m2023-04-01T06:18:27.015+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2023-04-01T06:18:27.016+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.s.HttpSessionRequestCache       [0;39m [2m:[0;39m Saved request http://localhost:8100/guest/home?continue to session
[2m2023-04-01T06:18:27.016+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.a.Http403ForbiddenEntryPoint    [0;39m [2m:[0;39m Pre-authenticated entry point called. Rejecting access
[2m2023-04-01T06:18:27.016+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /error
[2m2023-04-01T06:18:27.017+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2023-04-01T06:18:27.017+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.s.HttpSessionRequestCache       [0;39m [2m:[0;39m Saved request http://localhost:8100/error?continue to session
[2m2023-04-01T06:18:27.017+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-1][0;39m [36mo.s.s.w.a.Http403ForbiddenEntryPoint    [0;39m [2m:[0;39m Pre-authenticated entry point called. Rejecting access
[2m2023-04-01T06:18:27.255+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /home
[2m2023-04-01T06:18:27.256+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured GET /home
[2m2023-04-01T06:18:27.257+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /guest/home
[2m2023-04-01T06:18:27.257+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2023-04-01T06:18:27.258+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.s.HttpSessionRequestCache       [0;39m [2m:[0;39m Saved request http://localhost:8100/guest/home?continue to session
[2m2023-04-01T06:18:27.258+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.a.Http403ForbiddenEntryPoint    [0;39m [2m:[0;39m Pre-authenticated entry point called. Rejecting access
[2m2023-04-01T06:18:27.258+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /error
[2m2023-04-01T06:18:27.259+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2023-04-01T06:18:27.259+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.s.HttpSessionRequestCache       [0;39m [2m:[0;39m Saved request http://localhost:8100/error?continue to session
[2m2023-04-01T06:18:27.259+05:30[0;39m [32mDEBUG[0;39m [35m16852[0;39m [2m---[0;39m [2m[nio-8100-exec-2][0;39m [36mo.s.s.w.a.Http403ForbiddenEntryPoint    [0;39m [2m:[0;39m Pre-authenticated entry point called. Rejecting access

Я ожидаю, что когда я нажму на общедоступные URL-адреса, которые разрешены All в цепочке фильтров безопасности, они должны быть доступны.

0

spring-mvc model-view-controller spring-security-6

Источник

user2020094 01 апр '23 в 00:31

1 ответ

Другие вопросы по тегам spring-mvc model-view-controller spring-security-6

user10627854 02 авг '23 в 20:56 2023-08-02 20:56 · Answer 1 · 2023-08-02 20:56

В Spring Security 6 фильтр авторизации применяется к каждому типу отправки. т. е. DispatcherType.ERROR, DispatcherType.ASYNC. Чтобы отключить фильтрацию по указанному выше типу диспетчера,

Обновление вот так:

      http.csrf(csrf -> csrf
         .disable())
        .authorizeHttpRequests(auth ->  auth
        .requestMatchers("/home")
        .permitAll()
        .dispatcherTypeMatchers(DispatcherType.ERROR)
        .permitAll()
        .anyRequest()
        .authenticated());