我有我的spring Boot 应用程序,我已经在spring boot应用程序下的'src/main/resources/static'文件夹中添加了index.html文件,这样我就可以在运行spring boot服务器时访问网页。这在另一个没有spring web安全设置的spring Boot 应用程序中运行得很好。但是一旦我添加了Spring Web安全配置,我只得到403 Forbidden错误。在网上我发现我应该添加:“.csrf().disable()”到我的配置,但它没有工作。我试图访问localhost:8080,但都是徒劳的。需要Spring安全性来保护REST API免受未经身份验证的用户的攻击。这是我的 Spring 安全配置。
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecuritySettings extends WebSecurityConfigurerAdapter {
@Autowired
private final UserDetailsService userService;
@Autowired
private JwtFilter jwtFilter;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService);
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// enable cors and disable csrf tokens(only required in mvc not in rest)
http = http.cors().and().csrf().disable();
// disable session management immediately since we are using jwt tokens.
// the server doesn't need to persist the currently logged-in user
http = http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and();
// configure your authorisation from here
http.authorizeRequests()
//.antMatchers("/**").permitAll() // for the default landing page
.antMatchers("/api/accounts/create-user").authenticated()
.antMatchers("/api/accounts/me").authenticated()
.antMatchers("/api/payments").hasAuthority("client")我也试着像其他人建议的那样通过控制器呈现页面,但这一切都是徒劳的。
@Controller
public class IndexController {
@RequestMapping("/")
public String renderLandingPage(){
return "Welcome to the servspace";
}
}这是错误,我得到
1条答案
按热度按时间wljmcqd81#
您仍然需要
.antMatchers("/**").permitAll(),但它需要在最后,因为它是最通用的: