Spring Security 开发文档:https://www.springcloud.cc/spring-security-zhcn.html
一、配置的免登录访问接口不生效。
@Component
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter
{
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/testServer/login", "/query/**", "/NoAuthAPIs/**", "/swagger-ui.html#/**");
}
}
原因:地址前去掉项目路径才能生效。如项目路径为“/testServer”,那么配置的“/testServer/query”是不会生效的。
二、访问接口如果未登录如何返回自定义数据而不是跳转到登录页面\
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginProcessingUrl("/login")
.successHandler(loginSuccessHandler)
.failureHandler(loginFailureHandler)
.permitAll()
.and().exceptionHandling().authenticationEntryPoint(new CustomAuthenticationEntryPoint())
.and().csrf().disable();
http.logout()
.logoutUrl("/logout")
.permitAll()
.and().csrf().disable();
}
解决方法:
增加 .and().exceptionHandling().authenticationEntryPoint(new CustomAuthenticationEntryPoint()),
CustomAuthenticationEntryPoint代码如下:
其中CommonResult是一个JSON对象,使用的是阿里的fastjson。
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint
{
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
response.setStatus(200);
response.setContentType("application/json;charset=UTF-8");
PrintWriter out = response.getWriter();
CommonResult noLoginResult = new CommonResult();
noLoginResult.setResultCode("-2");
noLoginResult.setResultMessage("please login!");
out.write(new ObjectMapper().writeValueAsString(noLoginResult));
out.flush();
out.close();
}
}
三、SpringSecurity登陆时默认开启CSRF_Token校验,如何关闭。
代码同二
解决方法:
增加.and().csrf().disable();//关闭csrf跨域攻击防御。
四:角色配置后仍然返回403
原因及解决方法:
版本原因:Spring Boot 2.0
角色名必须要 ROLE_ 前缀, 因为 hasRole(“USER”)判断时会自动加上ROLE_前缀变成 ROLE_USER
在给用户赋权限时,数据库存储必须是完整的权限标识ROLE_USER
五、支持跨域访问
增加http.cors()和public CorsConfigurationSource corsConfigurationSource()
@Override
protected void configure(HttpSecurity http) throws Exception {
...
http.sessionManagement().maximumSessions(1);
http.csrf().disable()
.cors();
}
@Bean
public CorsConfigurationSource corsConfigurationSource()
{
final CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("HEAD", "GET", "POST", "PUT", "DELETE", "PATCH"));
configuration.setAllowCredentials(true);
configuration.setAllowedHeaders(Arrays.asList("Authorization", "Cache-Control", "X-User-Agent", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
六、用户登出后无法登录
修改增加以下代码:
http.sessionManagement().maximumSessions(1).maxSessionsPreventsLogin(true);
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher()
{
return new HttpSessionEventPublisher();
}
七、重定向的次数过多
原因:
未将login接口或页面设置为免登录访问。这样在访问时会自动跳转到登陆页面,而登陆页面未设置可匿访问,就会反复跳转导致死循环。
解决办法(2种场景):
将/login或login.html设置为可匿访问(若无登录页面只将/login加入可匿白名单即可),增加代码:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/testServer/login", "/login");
}
...
.and()
.formLogin()
.loginPage("/login.html")
.and()
.authorizeRequests()
.antMatchers("/login.html").permitAll()
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)