如何使用Spring Security在Sping Boot 中访问“/h2-console”

j2cgzkjk 于 2023-08-04 发布在 Spring

关注(0)|答案(1)|浏览(151)

我搜索了一些禁用csrf的代码，以便我可以访问“/h2-console”，但它们似乎不工作。当我输入“/h2-console”时，登录提示符仍然出现，就像我编写此代码之前一样
有什么问题吗？
我想在没有登录提示的情况下访问h2数据库
这是安全配置代码，镜像是文件结构（intellij）enter image description here

package com.taxiWithBack.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;


@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public BCryptPasswordEncoder encodePwd(){
        return new BCryptPasswordEncoder();
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

        http
                .csrf()
                .disable()
                .authorizeHttpRequests(authorize -> authorize
                        .requestMatchers("/h2-console/**").permitAll()
                        .requestMatchers("/admin").hasRole("ADMIN")
                        .requestMatchers("/").permitAll()
                        .anyRequest().authenticated()
                )
                .formLogin()
                .permitAll();

        return http.build();
    }

    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user").password(encodePwd().encode("password")).roles("USER")
                .and()
                .withUser("admin").password(encodePwd().encode("password")).roles("ADMIN");

    }




}

enter image description here

字符串

spring-boot

来源：https://stackoverflow.com/questions/76769384/how-to-access-h2-console-in-spring-boot-with-spring-security

1条答案

按热度按时间

gzjq41n41#

你能试着修改你的代码，并验证它吗？

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private BCryptPasswordEncoder passwordEncoder;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
            .disable()
            .authorizeRequests(authorize -> authorize
                .antMatchers("/h2-console/**").permitAll() // permits access to all URLs starting with /h2-console/ without authentication.
                .antMatchers("/admin").hasRole("ADMIN")
                .antMatchers("/").permitAll()
                .anyRequest().authenticated()
            )
            .formLogin()
            .permitAll();

        // disables the X-Frame-Options header to allow the H2 console to be displayed in an iframe
        http.headers().frameOptions().disable();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("user").password(passwordEncoder.encode("password")).roles("USER")
            .and()
            .withUser("admin").password(passwordEncoder.encode("password")).roles("ADMIN");
    }

    @Bean
    public BCryptPasswordEncoder encodePwd() {
        return new BCryptPasswordEncoder();
    }
}

字符串
注意事项：

通过扩展WebSecurityConfigurerAdapter，我们可以覆盖**configure（HttpSecurity http）**方法来定义安全规则。
此配置应用于开发目的，而不是用于生产，因为它删除了许多安全功能，并可能使您的应用程序易受攻击。

赞(0）回复(0）举报 2023-08-04

我来回答

如何使用Spring Security在Sping Boot 中访问“/h2-console”

1条答案

相关问题

热门标签

最新问答