我正在使用 Spring Security 6 和 Java 17 开发 Spring Boot 应用程序。我的静态资源(CSS、JS、图像)未在登录页面上加载。这些资源位于我的应用程序的
resources
文件夹内的 webapp
目录下。我也在使用 PrimeFaces 14。
这是我的
安全配置.java
:
package com.leo.service-ui.configs.security;
import java.util.Collections;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.FileSystemResource;
import org.springframework.core.io.Resource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@EnableWebSecurity
@Configuration
public class SecurityConfig {
private static final Logger LOG = LogManager.getLogger(SecurityConfig.class);
@Bean
public CustomSpnegoEntryPoint customSpnegoEntryPoint() {
return new CustomSpnegoEntryPoint();
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
LOG.info("SSO is disabled. Continuing using LDAP Authentication.");
http.csrf(AbstractHttpConfigurer::disable).authorizeHttpRequests((authz) -> authz.requestMatchers("/login")
.permitAll()
.anyRequest()
.permitAll());
return http.build();
}
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring()
.requestMatchers(
"/images/**",
"/js/**",
"/css/**",
"/webjars/**",
"/resources/**",
"/jakarta.faces.resource/**",
"/jakarta.faces.resource/images/**");
}
}
这是我的
login.xhtml
:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:f="http://xmlns.jcp.org/jsf/core"
xmlns:h="http://xmlns.jcp.org/jsf/html"
xmlns:p="http://primefaces.org/ui">
<h:head>
<title>LEO TEST UI</title>
<h:outputStylesheet name="css/style.css"/>
<h:outputScript name="js/jquery-1.6.4.min.js"/>
<script type="text/javascript">
jQuery.noConflict()
</script>
<script type="text/javascript">
//
var url = window.location.pathname;
var filename = url.substring(url.lastIndexOf('/') + 1);
if (filename.indexOf("login.xhtml") == -1) {
window.location = "/service-ui/login.xhtml"
}
jQuery(document).ready(function() {
});
//
</script>
</h:head>
<body>
<div class="container" style="width: 480px; position:absolute; top:50%;left:50%;margin-left:-240px; margin-top:-190px;">
<div id="header">
<h:graphicImage name="images/leo-logo.jpg"/>
<div id="title">
LEO Markets<br/>
<b>SERVICE UI</b>
<span><h:outputText value="#{homepageBean.environment}"/></span>
</div>
<div class="clear"></div>
</div>
<h:form id="form">
<h:messages id="resultMsg" errorClass="error-message" infoClass="info-message"/>
<div class="input-row">
<div class="required">*</div>
<h:outputLabel id="usernameLabel" for="username" value="Username:"/>
<h:inputText id="username" styleClass="text" maxlength="255" value="#{loginBean.username}">
</h:inputText>
<p:message for="username"/>
</div>
<div class="input-row">
<div class="required">*</div>
<h:outputLabel id="passwordLabel" for="password" value="Password: "/>
<h:inputSecret id="password" styleClass="text" maxlength="50" value="#{loginBean.password}">
</h:inputSecret>
<p:message for="password"/>
</div>
<div class="input-row">
<div class="required">*</div>
<h:outputLabel id="domainLabel" for="domain" value="Domain: "/>
<h:selectOneMenu styleClass="text" id="domain" value="#{loginBean.domain}">
<f:selectItems value="#{userManagementBean.domainList}"/>
</h:selectOneMenu>
</div>
<div class="clear"></div>
<div style="margin-left: 160px; font-size: 11px; line-height: 22px; margin-bottom: 10px;">
Use your Windows username/password to login.<br/>
If you have not been explicitly granted access, you can still login but with restricted access.
</div>
<h:commandButton id="loginBtn" value="Login" class="submit-button" action="#{loginBean.login}"/>
</h:form>
<br/>
<br/>
</div>
</body>
</html>
我尝试添加
WebSecurityCustomizer
来允许访问这些资源,但似乎不起作用。我错过了什么?
附加信息:
任何帮助将不胜感激!
您是否尝试过连接匹配器并指定
HttpMethod
来缩小匹配器的范围,如下所示:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
LOG.info("SSO is disabled. Continuing using LDAP Authentication.");
http.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(req -> req.requestMatchers("/login").permitAll())
.authorizeHttpRequests(
req ->
req.requestMatchers(
HttpMethod.GET,
"/images/**",
"/js/**",
"/css/**",
"/webjars/**",
"/resources/**",
"/jakarta.faces.resource/**",
"/jakarta.faces.resource/images/**")
.permitAll());
return http.build();
}
删除
anyRequest().permitAll()
和 WebSecurityCustomizer
bean 的定义?