Весна безопасности: пропущенные муравьиные - PullRequest
Новая
       6

Весна безопасности: пропущенные муравьиные

0 голосов
/ 13 июня 2018

Когда я пытаюсь вызвать метод из моего UserController, я получаю «401 UNAUTHORIZED».Система даже не проверяет antMatchers("GET", "/users**").hasAnyRole("ROLE_USER", "ROLE_ADMIN").Что я должен изменить, чтобы разрешить этому авторизованному пользователю получать данные? 

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
@ComponentScan(basePackages = { "com.talentlab.security.auth", "com.talentlab.security.filters",
        "com.talentlab.security.handlers", "com.talentlab.security.model", "com.talentlab.security.config",
        "com.talentlab.security.endpoint", "com.talentlab.web" })
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    public static final String JWT_TOKEN_HEADER_PARAM = "Authorization";

    public static final String FORM_BASED_LOGIN_ENTRY_POINT = "/login";
    public static final String TOKEN_REFRESH_ENTRY_POINT = "/auth/token";
    public static final String TOKEN_BASED_AUTH_ENTRY_POINT = "/**";
    public static final String REGISTRATION_URL = "/registration/**";
    public static final String[] SWAGGER_URLS = new String[] { "/v2/api-docs", "/configuration/ui",
            "/swagger-resources/configuration/ui", "/swagger-resources", "/configuration/security", "/swagger-ui.html",
            "/webjars/**" };

    @Autowired
    private AuthenticationEntryPoint authenticationEntryPoint;

    @Autowired
    private AjaxLoginProcessingFilter ajaxLoginProcessingFilter;

    @Autowired
    private JwtTokenAuthenticationProcessingFilter jwtTokenAuthenticationProcessingFilter;

    @Autowired
    private CorsFilter corsFilter;
    @Autowired
    private LanguageFilter languageFilter;

    @Autowired
    private AjaxAuthenticationProvider ajaxAuthenticationProvider;
    @Autowired
    private JwtAuthenticationProvider jwtAuthenticationProvider;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    protected SkipPathRequestMatcher skipPathRequestMatcher() throws Exception {
        List<String> pathsToSkip = Arrays.asList(TOKEN_REFRESH_ENTRY_POINT, FORM_BASED_LOGIN_ENTRY_POINT,
                REGISTRATION_URL);
        return new SkipPathRequestMatcher(pathsToSkip, TOKEN_BASED_AUTH_ENTRY_POINT);
    }


    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        // auth.userDetailsService(userDetailsService);
        auth.authenticationProvider(ajaxAuthenticationProvider);
        auth.authenticationProvider(jwtAuthenticationProvider);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(SWAGGER_URLS);
    }

    @Bean(name = BeanIds.AUTHENTICATION_MANAGER)
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()

                .antMatchers(SWAGGER_URLS).permitAll()

                .antMatchers(REGISTRATION_URL).permitAll()

                .antMatchers(FORM_BASED_LOGIN_ENTRY_POINT).permitAll()

                .antMatchers(HttpMethod.OPTIONS, "/**").anonymous()

                .antMatchers("/404").anonymous()

                .antMatchers("GET", "/users**").hasAnyRole("ROLE_USER", "ROLE_ADMIN")

                .antMatchers("/test**").hasRole("ADMIN")

                .antMatchers("/question**").hasRole("ADMIN")

                .antMatchers("/500").anonymous().anyRequest().permitAll()

                .and().csrf().disable() // We don't need CSRF for JWT based authentication
                .exceptionHandling().authenticationEntryPoint(this.authenticationEntryPoint)

                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)

                .and().authorizeRequests().antMatchers(FORM_BASED_LOGIN_ENTRY_POINT).permitAll() // Login end-point
                .antMatchers(TOKEN_REFRESH_ENTRY_POINT).permitAll() // Token refresh end-point
                .antMatchers("/console").permitAll() // H2 Console Dash-board - only for testing
                .and().authorizeRequests().antMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated() // Protected API
                                                                                                        // End-points
                .and()

                .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
                .addFilterAfter(languageFilter, CorsFilter.class)
                .addFilterBefore(ajaxLoginProcessingFilter, UsernamePasswordAuthenticationFilter.class)
                .addFilterBefore(jwtTokenAuthenticationProcessingFilter, UsernamePasswordAuthenticationFilter.class);

    }

}

ЖУРНАЛЫ: 

10:58:22.773 [http-nio-8080-exec-9] DEBUG org.springframework.orm.jpa.JpaTransactionManager - Initiating transaction commit
10:58:22.774 [http-nio-8080-exec-9] DEBUG org.springframework.orm.jpa.JpaTransactionManager - Committing JPA transaction on EntityManager [SessionImpl(PersistenceContext[entityKeys=[EntityKey[com.talentlab.db.domain.Tenant#1]],collectionKeys=[]];ActionQueue[insertions=ExecutableList{size=0} updates=ExecutableList{size=0} deletions=ExecutableList{size=0} orphanRemovals=ExecutableList{size=0} collectionCreations=ExecutableList{size=0} collectionRemovals=ExecutableList{size=0} collectionUpdates=ExecutableList{size=0} collectionQueuedOps=ExecutableList{size=0} unresolvedInsertDependencies=null])]
10:58:22.774 [http-nio-8080-exec-9] DEBUG org.springframework.orm.jpa.JpaTransactionManager - Closing JPA EntityManager [SessionImpl(PersistenceContext[entityKeys=[EntityKey[com.talentlab.db.domain.Tenant#1]],collectionKeys=[]];ActionQueue[insertions=ExecutableList{size=0} updates=ExecutableList{size=0} deletions=ExecutableList{size=0} orphanRemovals=ExecutableList{size=0} collectionCreations=ExecutableList{size=0} collectionRemovals=ExecutableList{size=0} collectionUpdates=ExecutableList{size=0} collectionQueuedOps=ExecutableList{size=0} unresolvedInsertDependencies=null])] after transaction
10:58:22.774 [http-nio-8080-exec-9] DEBUG org.springframework.orm.jpa.EntityManagerFactoryUtils - Closing JPA EntityManager
10:58:22.775 [http-nio-8080-exec-9] DEBUG org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
10:58:23.170 [http-nio-8080-exec-9] DEBUG org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6a8abebb
10:58:23.170 [http-nio-8080-exec-9] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/v2/api-docs'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/configuration/ui'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/swagger-resources/configuration/ui'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/swagger-resources'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/configuration/security'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/swagger-ui.html'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/webjars/**'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 4 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'OPTIONS /users/1' doesn't match 'GET /logout
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'OPTIONS /users/1' doesn't match 'POST /logout
10:58:23.191 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
10:58:23.192 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'OPTIONS /users/1' doesn't match 'PUT /logout
10:58:23.192 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
10:58:23.192 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'OPTIONS /users/1' doesn't match 'DELETE /logout
10:58:23.192 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - No matches found
10:58:23.192 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 5 of 14 in additional filter chain; firing Filter: 'CorsFilter'
10:58:23.192 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6a8abebb
10:58:23.192 [http-nio-8080-exec-1] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
10:58:23.197 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/v2/api-docs'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/configuration/ui'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/swagger-resources/configuration/ui'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/swagger-resources'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/configuration/security'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/swagger-ui.html'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/webjars/**'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 4 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/logout'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /users/1' doesn't match 'POST /logout
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /users/1' doesn't match 'PUT /logout
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /users/1' doesn't match 'DELETE /logout
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - No matches found
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 5 of 14 in additional filter chain; firing Filter: 'CorsFilter'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 6 of 14 in additional filter chain; firing Filter: 'AjaxLoginProcessingFilter'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/login'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /users/1 at position 7 of 14 in additional filter chain; firing Filter: 'JwtTokenAuthenticationProcessingFilter'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/auth/token']
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/auth/token'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/login']
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/login'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/registration/**']
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/users/1'; against '/registration/**'
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - No matches found
10:58:23.198 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request '/users/1' matched by universal pattern '/**'
10:58:23.198 [http-nio-8080-exec-5] DEBUG com.talentlab.security.auth.jwt.JwtTokenAuthenticationProcessingFilter - Request is to process authentication
10:58:23.238 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6a8abebb
10:58:23.238 [http-nio-8080-exec-5] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

Версия Spring: 5.0.5.RELEASE Версия безопасности Spring: 5.0.5.RELEASEЗаранее спасибо!

1 Ответ

0 голосов
/ 13 июня 2018

Поскольку у меня нет рабочего кода для запуска и проверки.Глядя на код, я полагаю, что вы можете попробовать, обновив шаблон как 

 .antMatchers("GET", "/users/**").permitAll().hasAnyRole("ROLE_USER", "ROLE_ADMIN")

Спасибо

Добро пожаловать на сайт PullRequest, где вы можете задавать вопросы и получать ответы от других членов сообщества.

Нет похожих вопросов

...