为什么端点没有响应?
我有弹簧安全配置和内存中保存的用户。用户有任何规则,其中之一是 sa\sa。如果一切正常(端点可访问),通过 url /test 和 /start 调用 get 请求,有几个控制器会返回 Ok 消息 Spring-security 仅保护 /test 端点 Spring-security 配置:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("sa")
.password("{noop}sa")
.roles("USER", "USER_ROLE")
.and()
.withUser("na")
.password("na")
.roles("USER", "USER_ROLE");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/test").hasAnyRole("ROLE_USER", "USER", "USER_ROLE")
.and()
.csrf().disable();
}
}
Yaml 配置:
spring:
datasource:
username: user
password: user
driverClassName: org.h2.Driver
security:
basic:
enabled: true
所以,当我将邮递员发送 get 请求到 /start 时 - 它返回响应正常,如果尝试调用 /test - 则无法访问。 我这样使用邮递员:
那么,问题是,为什么我无法从 /test 端点获得响应(无法访问此网址)?
带有拒绝的错误日志
2022-04-03 21:43:19.854 调试 8872 --- [nio-8080-exec-2] osswsHttpSessionRequestCache :保存的请求 http://localhost:8080/test 到会话 2022-04-03 21:43:19.854 调试 8872 --- [nio-8080-exec-2] osswaHttp403ForbiddenEntryPoint : 调用预先验证的入口点。拒绝访问 2022-04-03 21:43:19.856 调试 8872 --- [nio-8080-exec-2] wcHttpSessionSecurityContextRepository :未存储空 安全上下文 2022-04-03 21:43:19.857 调试 8872 --- [nio-8080-exec-2] wcHttpSessionSecurityContextRepository :没有 存储空 SecurityContext 2022-04-03 21:43:19.857 调试 8872 --- [nio-8080-exec-2] sswcSecurityContextPersistenceFilter :已清除 SecurityContextHolder完成请求
I have spring security config with in-memory saved users. There is any rules for users, one of them is sa\sa. There are couple controllers return Ok message if everything is okey(the endpoint is accessable) wher called get request by urls /test and /start
Spring-security protecs only /test endpoint
Spring-security config:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("sa")
.password("{noop}sa")
.roles("USER", "USER_ROLE")
.and()
.withUser("na")
.password("na")
.roles("USER", "USER_ROLE");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/test").hasAnyRole("ROLE_USER", "USER", "USER_ROLE")
.and()
.csrf().disable();
}
}
Yaml config:
spring:
datasource:
username: user
password: user
driverClassName: org.h2.Driver
security:
basic:
enabled: true
So, when I send get request by postman to /start - it's return response ok, if try to call /test - there is no access.
I use postman like this:
So, the question is, why I can't to get reponse from /test endpoint(can't access to this url) ?
Error logs with rejection
2022-04-03 21:43:19.854 DEBUG 8872 --- [nio-8080-exec-2]
o.s.s.w.s.HttpSessionRequestCache : Saved request
http://localhost:8080/test to session 2022-04-03 21:43:19.854 DEBUG
8872 --- [nio-8080-exec-2] o.s.s.w.a.Http403ForbiddenEntryPoint :
Pre-authenticated entry point called. Rejecting access 2022-04-03
21:43:19.856 DEBUG 8872 --- [nio-8080-exec-2]
w.c.HttpSessionSecurityContextRepository : Did not store empty
SecurityContext 2022-04-03 21:43:19.857 DEBUG 8872 ---
[nio-8080-exec-2] w.c.HttpSessionSecurityContextRepository : Did not
store empty SecurityContext 2022-04-03 21:43:19.857 DEBUG 8872 ---
[nio-8080-exec-2] s.s.w.c.SecurityContextPersistenceFilter : Cleared
SecurityContextHolder to complete request
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我相信您缺少过滤器链中的身份验证机制(例如
http.httpbasic()。 中启用HTTP Basic。要在Spring Security的最新版本 servlet/spring-boot/java/hello-security-expiction/src/src/main/java/example/securityconfiguration.java“ rel =” nofollow noreferrer“> securityConfiguration 。
I believe you are missing an authentication mechanism in your filter chain (e.g.
http.httpBasic(). Note that thespring.security.basic.enabledproperty is not the correct way to enable HTTP Basic in the latest version(s) of Spring Security.Take a look at the Hello Security sample's SecurityConfiguration and the Getting Started section of the reference docs.