Spring Security 、基本身份验证和任意性

vhipe2zx  于 2021-06-29  发布在  Java
关注(0)|答案(0)|浏览(359)

我在Spring Security 和basic auth方面遇到了一个非常奇怪的问题。我基本上想用basic auth保护swaggerui。在我在spring config中介绍以下内容之前,一切都正常(没有auth):

<http pattern="/swagger*/**" xmlns="http://www.springframework.org/schema/security"
          authentication-manager-ref="basicAuthenticationManager">
        <http-basic />
        <intercept-url pattern="/swagger*/**" access="isAuthenticated()" />
</http>

这将导致404,因为权限被拒绝,日志显示:

DEBUG [HTTP38] [ExceptionTranslationFilter] Chain processed normally
DEBUG [HTTP22] [AntPathRequestMatcher] Checking match of request : '/swagger-ui.html'; against '/swagger*/**'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [HTTP22] [HttpSessionSecurityContextRepository] No HttpSession currently exists
DEBUG [HTTP22] [HttpSessionSecurityContextRepository] No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG [HTTP22] [HttpSessionRequestCache] saved request doesn't match
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [HTTP22] [AnonymousAuthenticationFilter] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@4f862d10: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [HTTP22] [AntPathRequestMatcher] Checking match of request : '/swagger-ui.html'; against '/swagger*/**'
DEBUG [HTTP22] [FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /swagger-ui.html; Attributes: [isAuthenticated()]
DEBUG [HTTP22] [FilterSecurityInterceptor] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@4f862d10: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG [HTTP22] [AffirmativeBased] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@10de9715, returned: -1
DEBUG [HTTP22] [ExceptionTranslationFilter] Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) [spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]

因此,似乎anonymousauthfilter设置了anonymous,但由于 access="isAuthenticated()" .
如果我加上以下内容:

<http pattern="/swagger*/**" xmlns="http://www.springframework.org/schema/security"
          authentication-manager-ref="basicAuthenticationManager">
        <http-basic />
        <intercept-url pattern="/swagger*/**" access="isAuthenticated()" />
        <anonymous enabled="false" />
    </http>

它将抱怨缺少身份验证对象(在securitycontext中找不到身份验证对象):

DEBUG [HTTP15] [ExceptionTranslationFilter] Chain processed normally
DEBUG [HTTP25] [AntPathRequestMatcher] Checking match of request : '/swagger-ui.html'; against '/swagger*/**'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [HTTP25] [HttpSessionSecurityContextRepository] No HttpSession currently exists
DEBUG [HTTP25] [HttpSessionSecurityContextRepository] No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 2 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 4 of 10 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 5 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 6 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG [HTTP25] [HttpSessionRequestCache] saved request doesn't match
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 7 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [HTTP25] [AntPathRequestMatcher] Checking match of request : '/swagger-ui.html'; against '/swagger*/**'
DEBUG [HTTP25] [FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /swagger-ui.html; Attributes: [isAuthenticated()]
DEBUG [HTTP25] [ExceptionTranslationFilter] Authentication exception occurred; redirecting to authentication entry point
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:379) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:223) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    ....

我想指出:
这是一个大的企业应用程序,它周围有很多东西。然而,web上下文非常狭窄,我真的删除了几乎所有其他内容。
这以前有用。我改变的是web.xml中的Map。在Map到springmvcservlet的是/v2/之前,现在是/
有什么想法吗?对我来说,这似乎是正确的,而且它在日志中看起来也不错-它只是从不要求基本的身份验证。
欢迎任何意见。
谢谢你和比尔
达里奥

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题