无法使用Spring Security访问h2控制台

b4wnujal  于 2023-05-27  发布在  Spring
关注(0)|答案(1)|浏览(209)

我正在开发一个Sping Boot 应用,最近从Spring Boot 2迁移到Spring Boot 3。应用使用Spring Security 6。然而,在迁移之后,我在尝试访问H2控制台时遇到了HTTP 403错误。
在我的项目中,我配置了SecurityFilterChain,允许访问某些公共端点,包括H2控制台。

@Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .csrf((csrf) -> csrf.disable())
            
            .authorizeHttpRequests((authorize) ->
                authorize
                
                    .requestMatchers(
                        "/api/auth/login",
                        "/api/auth/logout",
                        "/login",
                        "/h2-console/**"
                        ).permitAll()
                
                    .requestMatchers("/admin/**")
                        .hasAuthority("ROLE_ADMIN")
                    
                    .anyRequest()
                        .authenticated()
                        
            ).logout((logout) ->
                logout
                    .deleteCookies("JSESSIONID")
                    .invalidateHttpSession(true)
                    .logoutUrl("/api/auth/logout")
                    .logoutSuccessUrl("/logout-success")
                    
            ).headers((headers) ->
                headers
                    .frameOptions(frameOptions -> frameOptions.sameOrigin())
            )
        ;
        return http.build();
        }

当我启动应用程序时,H2控制台可用,我可以通过以下日志消息进行确认:

[2m2023-05-22T23:36:52.924+02:00[0;39m [32m INFO[0;39m [35m8128[0;39m [2m---[0;39m [2m[  restartedMain][0;39m [36mo.s.b.a.h2.H2ConsoleAutoConfiguration   [0;39m [2m:[0;39m H2 console available at '/h2-console'. Database available at 'jdbc:h2:~/test'

我能够访问允许的端点,没有任何问题。但是,当我尝试访问H2控制台时,收到HTTP 403错误x1c 0d1x
但是我无法访问我的h2-console(我得到一个403 HTTP代码):

我还尝试忽略H2控制台的requestMatcher,因为它有自己的登录访问权限,但我无法确定问题的根本原因。下面是我的配置:

@Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring().requestMatchers("/h2-console/**");
    }

当我尝试访问H2控制台URL时,我可以在控制台中看到以下调试信息:

[2m2023-05-22T23:45:07.983+02:00[0;39m [32mDEBUG[0;39m [35m8128[0;39m [2m---[0;39m [2m[nio-8080-exec-8][0;39m [36mo.s.w.s.handler.SimpleUrlHandlerMapping [0;39m [2m:[0;39m Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
[2m2023-05-22T23:45:07.985+02:00[0;39m [32mDEBUG[0;39m [35m8128[0;39m [2m---[0;39m [2m[nio-8080-exec-8][0;39m [36mo.s.w.s.handler.SimpleUrlHandlerMapping [0;39m [2m:[0;39m Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
[2m2023-05-22T23:45:07.985+02:00[0;39m [32mDEBUG[0;39m [35m8128[0;39m [2m---[0;39m [2m[nio-8080-exec-8][0;39m [36mo.s.w.s.handler.SimpleUrlHandlerMapping [0;39m [2m:[0;39m Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
[2m2023-05-22T23:45:07.986+02:00[0;39m [32mDEBUG[0;39m [35m8128[0;39m [2m---[0;39m [2m[nio-8080-exec-8][0;39m [36mo.s.w.s.handler.SimpleUrlHandlerMapping [0;39m [2m:[0;39m Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
[2m2023-05-22T23:45:07.987+02:00[0;39m [32mDEBUG[0;39m [35m8128[0;39m [2m---[0;39m [2m[nio-8080-exec-8][0;39m [36mo.s.w.s.handler.SimpleUrlHandlerMapping [0;39m [2m:[0;39m Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
[2m2023-05-22T23:45:07.987+02:00[0;39m [32mDEBUG[0;39m [35m8128[0;39m [2m---[0;39m [2m[nio-8080-exec-8][0;39m [36mo.s.w.s.handler.SimpleUrlHandlerMapping [0;39m [2m:[0;39m Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
[2m2023-05-22T23:45:07.989+02:00[0;39m [32mDEBUG[0;39m [35m8128[0;39m [2m---[0;39m [2m[nio-8080-exec-8][0;39m [36ms.w.s.m.m.a.RequestMappingHandlerMapping[0;39m [2m:[0;39m Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
[2m2023-05-22T23:45:07.990+02:00[0;39m [32mDEBUG[0;39m [35m8128[0;39m [2m---[0;39m [2m[nio-8080-exec-8][0;39m [36ms.w.s.m.m.a.RequestMappingHandlerMapping[0;39m [2m:[0;39m Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
[2m2023-05-22T23:45:07.990+02:00[0;39m [32mDEBUG[0;39m [35m8128[0;39m [2m---[0;39m [2m[nio-8080-exec-8][0;39m [36ms.w.s.m.m.a.RequestMappingHandlerMapping[0;39m [2m:[0;39m Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
[2m2023-05-22T23:45:07.991+02:00[0;39m [32mDEBUG[0;39m [35m8128[0;39m [2m---[0;39m [2m[nio-8080-exec-8][0;39m [36ms.w.s.m.m.a.RequestMappingHandlerMapping[0;39m [2m:[0;39m Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
[2m2023-05-22T23:45:07.991+02:00[0;39m [32mDEBUG[0;39m [35m8128[0;39m [2m---[0;39m [2m[nio-8080-exec-8][0;39m [36ms.w.s.m.m.a.RequestMappingHandlerMapping[0;39m [2m:[0;39m Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
[2m2023-05-22T23:45:07.991+02:00[0;39m [32mDEBUG[0;39m [35m8128[0;39m [2m---[0;39m [2m[nio-8080-exec-8][0;39m [36ms.w.s.m.m.a.RequestMappingHandlerMapping[0;39m [2m:[0;39m Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)

有人能帮我解决这个问题吗?对不起我的英语

qxsslcnc

qxsslcnc1#

Spring security 6围绕requestMatchers做了一点改变,它的行为与requestAntMatchers有所不同。
你应该把这个加到你的构建器里,它会起作用的。

import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
...

authorize.requestMatchers(PathRequest.toH2Console()).permitAll();

相关问题