Spring Security auth sevrer PermitAll 未按预期工作(已关闭)

问题描述 投票:0回答:1

我在这里使用Spring授权服务器,我有两个控制器,一个是/user/**,另一个是/client/**,现在我想要的是/user/**可以公开访问和/client/ ** 只能由经过身份验证的用户访问,我使用了两个过滤器链,一个用于身份验证服务器,将所有从 /client/** 开始的请求重定向到 /login ,另一个用于处理重定向到 /login 页面,这是我的配置:

@Configuration
public class WebSecurityConfig {

    @Order(1)
    @Bean
    SecurityFilterChain authServerFilterChain(HttpSecurity http, JwtAuthenticationConverter jwtAuthenticationConverter) throws Exception {
    
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
    
        http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
                .oidc(Customizer.withDefaults());
    
        http.exceptionHandling(ex -> ex.defaultAuthenticationEntryPointFor(
                        new LoginUrlAuthenticationEntryPoint("/login"),
                   // redirect all unautheticated /client/** to login
                        new AntPathRequestMatcher("/client/**")
    
             ))
            .oauth2ResourceServer(rs -> rs.jwt(jwt -> jwt.jwtAuthenticationConverter(jwtAuthenticationConverter)));

        return http.build();
    }

    @Order(2)
    @Bean
    SecurityFilterChain defaultFilterChain(HttpSecurity http, CorsConfigurationSource corsConfigurationSource) throws Exception {
        http
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .csrf(csrf -> csrf.disable())
                .cors(cors -> cors.configurationSource(corsConfigurationSource))
                .authorizeHttpRequests(
                        req -> req.requestMatchers("/user/**").permitAll()
                                .anyRequest().authenticated())
                .formLogin(Customizer.withDefaults());
        return http.build();
    }
    
    @Bean
    AuthorizationServerSettings authorizationServerSettings() {
        return AuthorizationServerSettings.builder()
                .build();
    }

}

这是我尝试访问的用户端点

@Controller
@ResponseBody
@RequestMapping("/user/")
public class UserController {

    private final UserService userService;

    public UserController(UserService userService) {
        this.userService = userService;
    }

    @GetMapping()
    public String hello() {
        return "Hello from User Controller";
    }
}

我期望得到输出,但是,我被重定向到/登录页面

我尝试设置

logging.level.org.springframework.security=debug
,这给出了:

2024-09-22T14:23:35.456+05:30  INFO 131685 --- [spring-oauth2-auth-server] [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring DispatcherServlet 'dispatcherServlet'
2024-09-22T14:23:35.457+05:30  INFO 131685 --- [spring-oauth2-auth-server] [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
2024-09-22T14:23:35.459+05:30  INFO 131685 --- [spring-oauth2-auth-server] [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 2 ms
2024-09-22T14:23:35.492+05:30 DEBUG 131685 --- [spring-oauth2-auth-server] [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /user
2024-09-22T14:23:35.508+05:30 DEBUG 131685 --- [spring-oauth2-auth-server] [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-09-22T14:23:35.512+05:30 DEBUG 131685 --- [spring-oauth2-auth-server] [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Secured GET /user
2024-09-22T14:23:35.548+05:30 DEBUG 131685 --- [spring-oauth2-auth-server] [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /error
2024-09-22T14:23:35.549+05:30 DEBUG 131685 --- [spring-oauth2-auth-server] [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-09-22T14:23:35.553+05:30 DEBUG 131685 --- [spring-oauth2-auth-server] [nio-8080-exec-1] o.s.s.web.DefaultRedirectStrategy        : Redirecting to http://localhost:8080/login
2024-09-22T14:23:35.580+05:30 DEBUG 131685 --- [spring-oauth2-auth-server] [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : Securing GET /login
2024-09-22T14:23:35.810+05:30 DEBUG 131685 --- [spring-oauth2-auth-server] [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Securing GET /favicon.ico
2024-09-22T14:23:35.811+05:30 DEBUG 131685 --- [spring-oauth2-auth-server] [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-09-22T14:23:35.812+05:30 DEBUG 131685 --- [spring-oauth2-auth-server] [nio-8080-exec-3] o.s.s.web.DefaultRedirectStrategy        : Redirecting to http://localhost:8080/login
2024-09-22T14:23:35.825+05:30 DEBUG 131685 --- [spring-oauth2-auth-server] [nio-8080-exec-4] o.s.security.web.FilterChainProxy        : Securing GET /login
spring-security spring-authorization-server spring-resource-server
1个回答
0
投票

好吧,我已经找到了解决方案,因为用户/之后的

@RequestMapping("/user/")
尾随斜杠而发生了这种情况,所以我已将其更新为
@RequestMapping("/user")
并且工作正常。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.