我设置了 spring mvs 项目并添加了 spring security,我希望每个人都无需登录即可看到主页。
这是我的安全配置:
package uz.smartup.academy.bloggingplatform.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.JdbcUserDetailsManager;
import org.springframework.security.provisioning.UserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
import javax.sql.DataSource;
@Configuration
public class SecurityConfiguration {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public UserDetailsManager userDetailsManager(DataSource dataSource) {
JdbcUserDetailsManager detailsManager = new JdbcUserDetailsManager(dataSource);
detailsManager.setUsersByUsernameQuery("SELECT username, password, enabled FROM user WHERE username = ?");
detailsManager.setAuthoritiesByUsernameQuery("SELECT username, role FROM role WHERE username = ?");
return detailsManager;
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(
authManager -> authManager
.requestMatchers(HttpMethod.GET, "/admin", "/admin/*").hasAnyRole("ADMIN")
.requestMatchers(HttpMethod.GET, "/", "/posts/*", "/profile/*", "/categories/*").permitAll()
.requestMatchers(HttpMethod.POST, "/profile/*").permitAll()
.requestMatchers(HttpMethod.GET, "/css/**", "/js/**", "/photos/**").permitAll()
.anyRequest().authenticated())
.formLogin(
form -> form.loginPage("/login")
.loginProcessingUrl("/authenticate")
.defaultSuccessUrl("/", true)
.permitAll()
)
.logout(logout ->
logout.logoutUrl("/logout")
.logoutSuccessUrl("/")
.permitAll()
);
http.csrf(AbstractHttpConfigurer::disable);
http.httpBasic(Customizer.withDefaults());
return http.build();
}
}
我清除浏览器笼子并尝试向 requestMatchers 添加空模式。但项目仍然重定向登录页面并且编译器显示以下内容:
2024-07-06T23:19:21.944+05:00 DEBUG 4448 --- \[bloggingplatform\] \[nio-8080-exec-2\] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using And \[Not \[RequestHeaderRequestMatcher \[expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest\]\], MediaTypeRequestMatcher \[contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@75a4ae9e, matchingMediaTypes=\[application/xhtml+xml, image/\*, text/html, text/plain\], useEquals=false, ignoredMediaTypes=\[\*/\*\]\]\]
2024-07-06T23:19:21.948+05:00 DEBUG 4448 --- \[bloggingplatform\] \[nio-8080-exec-2\] s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@76192bf1
2024-07-06T23:19:21.949+05:00 DEBUG 4448 --- \[bloggingplatform\] \[nio-8080-exec-2\] o.s.s.web.DefaultRedirectStrategy : Redirecting to http://localhost:8080/login
2024-07-06T23:19:21.960+05:00 DEBUG 4448 --- \[bloggingplatform\] \[nio-8080-exec-3\] o.s.security.web.FilterChainProxy : Securing GET /login
2024-07-06T23:19:21.960+05:00 DEBUG 4448 --- \[bloggingplatform\] \[nio-8080-exec-3\] o.s.security.web.FilterChainProxy : Secured GET /login
2024-07-06T23:19:21.977+05:00 DEBUG 4448 --- \[bloggingplatform\] \[nio-8080-exec-3\] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
这是因为
http.httpBasic(Customizer.withDefaults());尝试删除它或使用定制器设置它。默认配置确保所有端点都需要身份验证。