Vaadin 和 WebSecurity 中的 permitAll 问题 - 不工作
Problem with permitAll in Vaadin and WebSecurity - not working
我对@Route 在 Vaadin 中的看法很少,现在我想添加安全性和一些登录。在我的 SecurityConfiguration class 中,我仅针对 2 个视图设置 antMatchers.permitAll(),其余设置为角色 ADMIN。但它没有像我认为的那样工作。它要求登录才能访问每个视图,登录后无论用户具有什么角色,我都可以访问所有视图。
我希望本教程对我有所帮助,但在没有登录的情况下无法访问任何视图。
Securing Your App With Spring Security
我的配置class:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private UserService userService;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Autowired
public SecurityConfiguration(UserService userService) {
this.userService = userService;
}
@Autowired
private void configureAuth(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService);
auth.inMemoryAuthentication()
.withUser("user")
.password(passwordEncoder().encode("user"))
.roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and()
.anonymous()
.and()
.authorizeRequests()
.antMatchers("/", "/login").permitAll()
.antMatchers("/recipe-manager", "/ingredient-manager").hasAnyRole("ADMIN")
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().logoutSuccessUrl("/")
.and()
.csrf().disable().cors().disable().headers().disable();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(
"/VAADIN/**",
"/favicon.ico",
"/robots.txt",
"/manifest.webmanifest",
"/sw.js",
"/offline-page.html",
"/icons/**",
"/images/**",
"/frontend/**",
"/webjars/**",
"/h2-console/**",
"/frontend-es5/**", "/frontend-es6/**");
}
}
我的视图有如下注释:
@Route("recipe-manager")
public class RecipeManagerView extends VerticalLayout
@Route("")
public class RecipeBrowserView extends VerticalLayout
@Route("login")
public class LoginView extends VerticalLayout
@Route("ingredient-manager")
public class IngredientManagerView extends VerticalLayout
我希望任何人都可以访问 RecipeBrowserView 和 LoginView,但只有登录用户才能访问 RecipeManagerView 和 IngredientMangerView。
据我了解antMatchers 只接受单个参数。你应该改变你的配置 class 如:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private UserService userService;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Autowired
public SecurityConfiguration(UserService userService) {
this.userService = userService;
}
@Autowired
private void configureAuth(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService);
auth.inMemoryAuthentication()
.withUser("user")
.password(passwordEncoder().encode("user"))
.roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and()
.anonymous()
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/recipe-manager", "/ingredient-manager").hasAnyRole("ADMIN")
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().logoutSuccessUrl("/")
.and()
.csrf().disable().cors().disable().headers().disable();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(
"/VAADIN/**",
"/favicon.ico",
"/robots.txt",
"/manifest.webmanifest",
"/sw.js",
"/offline-page.html",
"/icons/**",
"/images/**",
"/frontend/**",
"/webjars/**",
"/h2-console/**",
"/frontend-es5/**", "/frontend-es6/**");
}
}
您不能使用来自 Spring Vaadin 路由安全性的基于路径的匹配。 Spring 安全性根据请求路径进行匹配,而在 Vaadin 中从一个视图到另一个视图的导航作为内部请求中的元数据发送,该内部请求始终转到相同的硬编码路径。
相反,您可以在 Vaadin 提供的拦截器中实现您的访问控制逻辑。您可以查看 https://vaadin.com/tutorials/securing-your-app-with-spring-security 以了解更多相关信息。
我对@Route 在 Vaadin 中的看法很少,现在我想添加安全性和一些登录。在我的 SecurityConfiguration class 中,我仅针对 2 个视图设置 antMatchers.permitAll(),其余设置为角色 ADMIN。但它没有像我认为的那样工作。它要求登录才能访问每个视图,登录后无论用户具有什么角色,我都可以访问所有视图。
我希望本教程对我有所帮助,但在没有登录的情况下无法访问任何视图。
Securing Your App With Spring Security
我的配置class:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private UserService userService;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Autowired
public SecurityConfiguration(UserService userService) {
this.userService = userService;
}
@Autowired
private void configureAuth(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService);
auth.inMemoryAuthentication()
.withUser("user")
.password(passwordEncoder().encode("user"))
.roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and()
.anonymous()
.and()
.authorizeRequests()
.antMatchers("/", "/login").permitAll()
.antMatchers("/recipe-manager", "/ingredient-manager").hasAnyRole("ADMIN")
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().logoutSuccessUrl("/")
.and()
.csrf().disable().cors().disable().headers().disable();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(
"/VAADIN/**",
"/favicon.ico",
"/robots.txt",
"/manifest.webmanifest",
"/sw.js",
"/offline-page.html",
"/icons/**",
"/images/**",
"/frontend/**",
"/webjars/**",
"/h2-console/**",
"/frontend-es5/**", "/frontend-es6/**");
}
}
我的视图有如下注释:
@Route("recipe-manager")
public class RecipeManagerView extends VerticalLayout
@Route("")
public class RecipeBrowserView extends VerticalLayout
@Route("login")
public class LoginView extends VerticalLayout
@Route("ingredient-manager")
public class IngredientManagerView extends VerticalLayout
我希望任何人都可以访问 RecipeBrowserView 和 LoginView,但只有登录用户才能访问 RecipeManagerView 和 IngredientMangerView。
据我了解antMatchers 只接受单个参数。你应该改变你的配置 class 如:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private UserService userService;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Autowired
public SecurityConfiguration(UserService userService) {
this.userService = userService;
}
@Autowired
private void configureAuth(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService);
auth.inMemoryAuthentication()
.withUser("user")
.password(passwordEncoder().encode("user"))
.roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and()
.anonymous()
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/recipe-manager", "/ingredient-manager").hasAnyRole("ADMIN")
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().logoutSuccessUrl("/")
.and()
.csrf().disable().cors().disable().headers().disable();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(
"/VAADIN/**",
"/favicon.ico",
"/robots.txt",
"/manifest.webmanifest",
"/sw.js",
"/offline-page.html",
"/icons/**",
"/images/**",
"/frontend/**",
"/webjars/**",
"/h2-console/**",
"/frontend-es5/**", "/frontend-es6/**");
}
}
您不能使用来自 Spring Vaadin 路由安全性的基于路径的匹配。 Spring 安全性根据请求路径进行匹配,而在 Vaadin 中从一个视图到另一个视图的导航作为内部请求中的元数据发送,该内部请求始终转到相同的硬编码路径。
相反,您可以在 Vaadin 提供的拦截器中实现您的访问控制逻辑。您可以查看 https://vaadin.com/tutorials/securing-your-app-with-spring-security 以了解更多相关信息。