JavaSpringSecurity5Always302
我试图测试使用标准Spring安全api保护的web api,但是每当我登录到我的应用程序/test时。html api不断返回302重定向。 用户名:admin/ 密码:admin
package com.example.demo; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @RestController @SpringBootApplication public class DemoApplication { public static void main(String[] args) { SpringApplication.run(DemoApplication.class, args); } @RequestMapping("/hello") public String hello() { return "hello"; } }
package com.example.demo; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; @Configuration @EnableWebSecurity public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Override protected void configure(HttpSecurity http) throws Exception { http.formLogin() .loginPage("/test.html").permitAll() .loginProcessingUrl("/user/login") .and() .authorizeRequests() .antMatchers("/test.html").permitAll() .anyRequest() .authenticated(); } }
package com.example.demo; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Component; @Component public class UserDetailsServiceImpl implements UserDetailsService { @Override public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException { return new User("admin", "$2a$10$vs7veyVUaqeGyVlxXpp94O7BcmzcF2HGUmH2va6XDVCj2mK8uFzRi", AuthorityUtils.commaSeparatedStringToAuthorityList("admin")); } }
# 1 楼答案
完成
跨站点请求伪造
# 2 楼答案
排除安全自动配置。类和管理Web安全自动配置。我的spring boot应用程序的主类中的类适用于我
# 3 楼答案
你需要在
.hasAnyRole
后面加上用户的角色 放完这些之后,你需要放.anyRequest().authenticated()
仅此而已