Python中文网

一个关于 编程问题的解答网站.

有 Java 编程相关的问题?

你可以在下面搜索框中键入要查询的问题!

使用Vaadin 10进行java自定义Spring安全登录

1 周,4 日 Questions & Answers

我试图在使用spring boot的同时使用Vaadin,我也在使用spring security。这是我在WebSecurityConfigurerAdapter类中完成的配置

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
                http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/VAADIN/**", "/PUSH/**", "/UIDL/**", "/login", "/login/**", "/error/**", "/accessDenied/**", "/vaadinServlet/**","/myui/**","/test/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin().permitAll().defaultSuccessUrl("/myui", true).and()
                .sessionManagement().sessionAuthenticationStrategy(sessionControlAuthenticationStrategy());
    }

这是我的登录视图

@Route("login")
@Theme(value = Lumo.class, variant = Lumo.DARK)

public class LoginForm extends Div {

    public LoginForm(){
        init();
    }

    public void init(){
        FormLayout nameLayout = new FormLayout();

        TextField username = new TextField();
        username.setLabel("UserName");
        username.setPlaceholder("username");

        PasswordField passwordField = new PasswordField();
        passwordField.setLabel("password");
        passwordField.setPlaceholder("*****");

        Button loginButton = new Button("login");

        loginButton.addClickListener(event -> {
        });

        nameLayout.add(username,passwordField);

        add(nameLayout);
    }
}

我遇到的问题是,当用户被重定向到/login时,我总是看到一个空页面,但在检查Html页面后,我可以看到有vaadin元素,但它们没有出现在浏览器中


共 (2) 个答案

  1. # 1 楼答案 

    package com.example.test.spring.security;

import com.vaadin.flow.server.ServletHelper;
import com.vaadin.flow.shared.ApplicationConstants;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;

import javax.servlet.http.HttpServletRequest;
import java.util.stream.Stream;


@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers("/VAADIN/**", "/HEARTBEAT/**", "/UIDL/**", "/resources/**"
                        , "/login", "/login**", "/login/**", "/manifest.json", "/icons/**", "/images/**",
                        // (development mode) static resources
                        "/frontend/**",
                        // (development mode) webjars
                        "/webjars/**",
                        // (development mode) H2 debugging console
                        "/h2-console/**",
                        // (production mode) static resources
                        "/frontend-es5/**", "/frontend-es6/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/login")
                .permitAll()
                .successForwardUrl("/something")
                .and()
                .logout()
                .permitAll();
    }

    @Bean
    @Override
    public UserDetailsService userDetailsService() {
        UserDetails user =
                User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();

        return new InMemoryUserDetailsManager(user);
    }


    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(
                // Vaadin Flow static resources
                "/VAADIN/**",

                // the standard favicon URI
                "/favicon.ico",

                // web application manifest
                "/manifest.json",

                // icons and images
                "/icons/**",
                "/images/**",

                // (development mode) static resources
                "/frontend/**",

                // (development mode) webjars
                "/webjars/**",

                // (development mode) H2 debugging console
                "/h2-console/**",

                // (production mode) static resources
                "/frontend-es5/**", "/frontend-es6/**");
    }


    static boolean isFrameworkInternalRequest(HttpServletRequest request) {
        final String parameterValue = request.getParameter(ApplicationConstants.REQUEST_TYPE_PARAMETER);
        return parameterValue != null
                && Stream.of(ServletHelper.RequestType.values()).anyMatch(r -> r.getIdentifier().equals(parameterValue));
    }

}

    在将web配置更改为该配置后,我能够修复该问题

  2. # 2 楼答案

    这是我的工作配置:

    @Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable() // CSRF handled by Vaadin
            .exceptionHandling()
                .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
                .accessDeniedPage("/accessDenied")
            .and()
            .authorizeRequests()
                // allow Vaadin URLs without authentication
                .regexMatchers("/frontend/.*", "/VAADIN/.*", "/login.*", "/accessDenied.*").permitAll()
                .regexMatchers(HttpMethod.POST, "/\\?v-r=.*").permitAll()
                // deny other URLs until authenticated
                .antMatchers("/**").fullyAuthenticated();
}

    所有请求都会重定向到登录视图,直到通过身份验证。到目前为止,我没有尝试@Push,因此可能需要额外的URL才能始终被允许

    使用Firefox开发者工具,您可以在控制台中检查XHR调用。如果任何XHR调用因403或其他原因失败,您可能需要调整安全配置