通过一个应用程序提供静态文件、模板文件和 REST 端点（无论是否经过身份验证）

发布于 2025-01-10 02:23:07 字数 3960 浏览 0 评论 0原文

我正在尝试创建一个 Spring Boot 应用程序（最新版本），它可以提供以下服务：

静态 HTML、CSS、JavaScript 和图像（favicon、jpg、png 等）文件
基于 Thymeleaf 模板文件的 HTML 内容
REST 端点

以上所有内容都应该是能够提供服务：

无需身份验证（公共访问）
有身份验证（受限访问）

意味着应应用以下映射：

URL 请求	服务自（资源文件夹或控制器）	Public	Notes
/ui/media/*	../resources/web/ui/media/*	是
/ui/style/*	../resources/web/ui/style/*	是
/ui/scrippt/*	../resources/web/ui/scrippt/*	是
/ui/login	../resources/web/ui/login.html	是
/ui/forgot	../resources/web/ui/forgot.html	是
/ui/admin/*	../resources/web/ui/admin /*	No	1
/ui/user/*	../resources/web/ui/user/* 和 UiUserController 使用 Thymeleaf 模板文件	No	1, 2
/api/auth/login	AuthenticationController::login()	是
/api/auth/forgot	AuthenticationController::login()	是
/api/ping	ApiPingPongController::ping()	是
/api/pong	ApiPingPongController::pong()	否	1
/api/v1/*	WildcardController::handle()	是	3

注意：

需要用户进行身份验证
UiUserController 类处理端点并使用资源文件夹中的 Thymeleaf 模板文件
这个方法应该是能够处理以 /api/v1/** 开头并基于硬编码值列表的任何请求（GET/POST/...），可以用于公共访问或检查是否JWT 令牌存在且有效（意味着验证应该内部此方法。我可以在此处验证 JWT，所以我不需要解决方案。只是想添加所以你知道这个端点与

我列出的许多端点相比是特殊的，但这只是因为我无法将所有这些端点和安全公共/非公共结合起来，并且找不到任何示例。在互联网上结合了所有这些

。 far：

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .cors().and()
                .csrf().disable()
                .authorizeRequests()
                
                // Public static files
                .antMatchers(HttpMethod.GET, "/ui/login", "/ui/forgot", "/ui/media/**", "/ui/style/**", "/ui/script/**").permitAll()
                
                // User static files based on Thymeleaf
                .antMatchers(HttpMethod.GET,"/ui/user/**").hasRole("USER")
                
                // Administration static file
                .antMatchers(HttpMethod.GET,"/ui/admin/**").hasRole("ADMIN")
                
                // Authentication REST endpoints
                .antMatchers(HttpMethod.POST, "/api/auth/login").permitAll()
                .antMatchers(HttpMethod.POST, "/api/auth/forgot").permitAll()
                
                // /api/ping, /api/pong endpoints
                .antMatchers("/api/ping").permitAll()
                .antMatchers("/api/pong").hasAnyRole("USER", "ADMIN")
                
                // /api/v1/** endpoint
                .antMatchers("/api/v1/**").permitAll()
                
                .anyRequest().authenticated().and()
                
                // JWT filter
                .addFilterAfter(new JWTAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class)
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
    
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
                .antMatchers("/resources/**");
    }

}

身份验证过程和 REST 端点有效，但 Thymeleaf 端点找不到资源文件，并且根本无法访问静态文件（即使是公共文件或经过身份验证的文件）。

在过去的三周里，我尝试了很多组合，以至于我真的快要放弃了。

有人能指出我正确的方向吗？

原文

I am trying to create a single Spring Boot application (latest version) that can serve:

static HTML, CSS, JavaScript and image (favicon, jpg, png etc) files
HTML content based on Thymeleaf template files
REST endpoints

All of the above should be able to serve:

without authentication (public access)
with authentication (restricted access)

Meaning that the following mappings should apply:

URL request	Served from (resource folder or a controller)	Public	Notes
/ui/media/*	../resources/web/ui/media/*	Yes
/ui/style/*	../resources/web/ui/style/*	Yes
/ui/scrippt/*	../resources/web/ui/scrippt/*	Yes
/ui/login	../resources/web/ui/login.html	Yes
/ui/forgot	../resources/web/ui/forgot.html	Yes
/ui/admin/*	../resources/web/ui/admin/*	No	1
/ui/user/*	../resources/web/ui/user/* and UiUserController using Thymeleaf template files	No	1, 2
/api/auth/login	AuthenticationController::login()	Yes
/api/auth/forgot	AuthenticationController::login()	Yes
/api/ping	ApiPingPongController::ping()	Yes
/api/pong	ApiPingPongController::pong()	No	1
/api/v1/*	WildcardController::handle()	Yes	3

Notes:

Requires user to be authenticated
UiUserController class handles endpoints and uses Thymeleaf template files from resource folder
This single method should be able to handle any request (GET/POST/...) starting with /api/v1/** and based on a hardcoded list of values either can serve for public access or check if JWT token is present and valid (meaning validation should be inside this method. I can validate JWT inhere, so I don't need a solution for that. Just wanted to add it so you know this endpoint is special compared to most examples around.

I've listed lots of endpoints, but only because I haven't been able to combine all of these and security public/non-public and can't find any examples on the Internet that combines all of these.

What I have so far:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .cors().and()
                .csrf().disable()
                .authorizeRequests()
                
                // Public static files
                .antMatchers(HttpMethod.GET, "/ui/login", "/ui/forgot", "/ui/media/**", "/ui/style/**", "/ui/script/**").permitAll()
                
                // User static files based on Thymeleaf
                .antMatchers(HttpMethod.GET,"/ui/user/**").hasRole("USER")
                
                // Administration static file
                .antMatchers(HttpMethod.GET,"/ui/admin/**").hasRole("ADMIN")
                
                // Authentication REST endpoints
                .antMatchers(HttpMethod.POST, "/api/auth/login").permitAll()
                .antMatchers(HttpMethod.POST, "/api/auth/forgot").permitAll()
                
                // /api/ping, /api/pong endpoints
                .antMatchers("/api/ping").permitAll()
                .antMatchers("/api/pong").hasAnyRole("USER", "ADMIN")
                
                // /api/v1/** endpoint
                .antMatchers("/api/v1/**").permitAll()
                
                .anyRequest().authenticated().and()
                
                // JWT filter
                .addFilterAfter(new JWTAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class)
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
    
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
                .antMatchers("/resources/**");
    }

}

The authentication process and REST endpoints works, but the Thymeleaf endpoint can not find resource files and the static files are not accessible at all (even public or authenticated).

I've tried so many combinations for the last 3 weeks that I am really close to giving up on this.

Can someone point me in the right direction?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

柳若烟 2025-01-17 02:23:07

将其添加到您的 webSecurityConfig 类中

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
                .antMatchers("/resources/**", "/static/**", "/css/**");
    }

add this in your webSecurityConfig class

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
                .antMatchers("/resources/**", "/static/**", "/css/**");
    }

回复收藏 0 原文

~没有更多了~