Я обновил проект с Spring Boot v1.5.14.RELEASE до v2.1.9.RELEASE, и у меня возникли проблемы со стороной моего веб-приложения Thymeleaf. CSS и другие ресурсы, похоже, не применяются. Похоже, что проблема связана с изменениями в Spring Security.
Когда я нажимаю на URL своего логина, я вижу это в журналах:
2020-02-28 09:45:46.975 INFO 1 --- [http-nio-8091-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2020-02-28 09:45:46.976 DEBUG 1 --- [http-nio-8091-exec-1] o.s.web.servlet.DispatcherServlet : Detected StandardServletMultipartResolver
2020-02-28 09:45:46.987 DEBUG 1 --- [http-nio-8091-exec-1] o.s.web.servlet.DispatcherServlet : enableLoggingRequestDetails='false': request parameters and headers will be masked to prevent unsafe logging of potentially sensitive data
2020-02-28 09:45:46.988 INFO 1 --- [http-nio-8091-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 12 ms
2020-02-28 09:45:47.007 DEBUG 1 --- [http-nio-8091-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/meanwhileinhell/api/login'; against '/resources/**'
2020-02-28 09:45:47.007 DEBUG 1 --- [http-nio-8091-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/meanwhileinhell/api/login'; against '/webjars/**'
2020-02-28 09:45:47.008 DEBUG 1 --- [http-nio-8091-exec-1] o.s.security.web.FilterChainProxy : /meanwhileinhell/api/login at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2020-02-28 09:45:47.009 DEBUG 1 --- [http-nio-8091-exec-1] o.s.security.web.FilterChainProxy : /meanwhileinhell/api/login at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2020-02-28 09:45:47.010 DEBUG 1 --- [http-nio-8091-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2020-02-28 09:45:47.010 DEBUG 1 --- [http-nio-8091-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2020-02-28 09:45:47.013 DEBUG 1 --- [http-nio-8091-exec-1] o.s.security.web.FilterChainProxy : /meanwhileinhell/api/login at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2020-02-28 09:45:47.015 DEBUG 1 --- [http-nio-8091-exec-1] o.s.security.web.FilterChainProxy : /meanwhileinhell/api/login at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2020-02-28 09:45:47.016 DEBUG 1 --- [http-nio-8091-exec-1] o.s.security.web.FilterChainProxy : /meanwhileinhell/api/login at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2020-02-28 09:45:47.017 DEBUG 1 --- [http-nio-8091-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /meanwhileinhell/api/login' doesn't match 'POST /logout'
2020-02-28 09:45:47.017 DEBUG 1 --- [http-nio-8091-exec-1] o.s.security.web.FilterChainProxy : /meanwhileinhell/api/login at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2020-02-28 09:45:47.017 DEBUG 1 --- [http-nio-8091-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /meanwhileinhell/api/login' doesn't match 'POST /login'
2020-02-28 09:45:47.017 DEBUG 1 --- [http-nio-8091-exec-1] o.s.security.web.FilterChainProxy : /meanwhileinhell/api/login at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2020-02-28 09:45:47.017 DEBUG 1 --- [http-nio-8091-exec-1] o.s.s.w.s.HttpSessionRequestCache : saved request doesn't match
2020-02-28 09:45:47.017 DEBUG 1 --- [http-nio-8091-exec-1] o.s.security.web.FilterChainProxy : /meanwhileinhell/api/login at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2020-02-28 09:45:47.019 DEBUG 1 --- [http-nio-8091-exec-1] o.s.security.web.FilterChainProxy : /meanwhileinhell/api/login at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2020-02-28 09:45:47.021 DEBUG 1 --- [http-nio-8091-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@cc158d33: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 192.168.1.3; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2020-02-28 09:45:47.021 DEBUG 1 --- [http-nio-8091-exec-1] o.s.security.web.FilterChainProxy : /meanwhileinhell/api/login at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2020-02-28 09:45:47.021 DEBUG 1 --- [http-nio-8091-exec-1] o.s.s.w.session.SessionManagementFilter : Requested session ID C171453B3FD8B4197CF920844D4AF0F5 is invalid.
2020-02-28 09:45:47.021 DEBUG 1 --- [http-nio-8091-exec-1] o.s.security.web.FilterChainProxy : /meanwhileinhell/api/login at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2020-02-28 09:45:47.021 DEBUG 1 --- [http-nio-8091-exec-1] o.s.security.web.FilterChainProxy : /meanwhileinhell/api/login at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2020-02-28 09:45:47.022 DEBUG 1 --- [http-nio-8091-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/meanwhileinhell/api/login'; against '/webjars/**'
2020-02-28 09:45:47.022 DEBUG 1 --- [http-nio-8091-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /meanwhileinhell/api/login; Attributes: [authenticated]
2020-02-28 09:45:47.023 DEBUG 1 --- [http-nio-8091-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@cc158d33: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 192.168.1.3; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2020-02-28 09:45:47.030 DEBUG 1 --- [http-nio-8091-exec-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5d7bcc4b, returned: -1
2020-02-28 09:45:47.033 DEBUG 1 --- [http-nio-8091-exec-1] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
Мой адаптер WebSecurity выглядит следующим образом (это это точно такой же код, который работает в SB1)
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class UiServerWebMVCSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationProvider authenticationProvider;
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
@Override
public void configure(final WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**");
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/webjars/**").permitAll();
http
.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().logoutUrl("/logout").logoutSuccessUrl("/login").invalidateHttpSession(true);
}
}
Кажется, я не могу найти обновление, которое проходит это AccessDenied для анонимных пользователей. Я добавил .and().anonymous() в конец цепочки configure(final HttpSecurity http), но это не помогло.
Я попытался выяснить, что означает эта строка журнала Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5d7bcc4b, returned: -1, так как раньше в SB1 она возвращала 1.
Также строка журнала Populated SecurityContextHolder with anonymous token: ..... мне кажется подозрительной из-за SessionId: null.