在 vaadin 流 14 中排除来自 vaadin 路由器的 URL 路径
Exclude URL paths from vaadin router in vaadin flow 14
我正在尝试在 vaadin 14 + spring 引导应用程序中包含 'third-party' url,即 spring- 的重定向 url “/oauth2/authorization/github”上单点登录的安全性。
然而,vaadin servlet 似乎拦截了这个 url 并显示一条错误消息,指出路由未知。
Could not navigate to 'oauth2/authorization/github'
Reason: Couldn't find route for 'oauth2/authorization/github'
如何防止这种情况发生,以便达到 oauth2 url?我检查了 vaadin 文档,但没有找到有关如何从常规路由器导航机制中排除特定路径的信息。
spring-boot oauth2 教程来自官方 spring 站点 https://spring.io/guides/tutorials/spring-boot-oauth2/ 并添加了以下依赖项:
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>vaadin</artifactId>
</dependency>
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>vaadin-spring-boot-starter</artifactId>
</dependency>
WebSecurityConfigurerAdapter 已正确安装,因为标准 spring-security 在页面的根“/”上显示了上述 GitHub Auth link。同样对于根页面,未显示未知路由错误。
我也尝试了 https://vaadin.com/learn/tutorials/securing-your-app-with-spring-security/setting-up-spring-security 中的示例,它适用于常规登录页面,但再次阻止访问 oauth2 link。
是否需要实施分派此请求的过滤器,或者是否可以在某处配置排除?
编辑: 这里是 WebSecurityAdapterConfigurer
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
// Register our CustomRequestCache, that saves unauthorized access attempts, so
// the user is redirected after login.
.requestCache().requestCache(new CustomRequestCache())
// Restrict access to our application.
.and().authorizeRequests()
// Allow all flow internal requests.
.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
// Allow all requests by logged in users.
.anyRequest().authenticated()
// Configure the login page.
.and().oauth2Login()
.and().formLogin().loginPage(LOGIN_URL).permitAll().loginProcessingUrl(LOGIN_PROCESSING_URL)
.failureUrl(LOGIN_FAILURE_URL)
// Configure logout
.and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL);
}
@Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers(
// Vaadin Flow static resources
"/VAADIN/**",
// the standard favicon URI
"/favicon.ico",
// the robots exclusion standard
"/robots.txt",
// web application manifest
"/manifest.webmanifest",
"/sw.js",
"/offline-page.html",
// icons and images
"/icons/**",
"/images/**",
// (development mode) static resources
"/frontend/**",
// (development mode) webjars
"/webjars/**",
// (development mode) H2 debugging console
"/h2-console/**",
// (production mode) static resources
"/frontend-es5/**", "/frontend-es6/**",
// oauth2
"/user/**",
"/oauth2/**"
);
}
查看@anasmi 评论的教程后发现,包含 oauth antmatcher 的 WebSecurity 配置首先是错误的。
现在可以观察到的效果是 spring security oauth2 过滤器转发到 /login,它不显示为 vaadin 路由配置的页面,而是默认的授权 link github.
如果有助于理解正在发生的事情,请查看调试日志:
onTranslationFilter : Calling Authentication entry point.
uthenticationEntryPoint : Trying to match using AndRequestMatcher [requestMatchers=[NegatedRequestMatcher [requestMatcher=RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@5be8fdbf, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]
her.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]]
.NegatedRequestMatcher : matches = true
her.AndRequestMatcher : Trying to match using MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@5be8fdbf, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]
TypeRequestMatcher : httpRequestMediaTypes=[text/html, application/xhtml+xml, image/webp, application/xml;q=0.9, */*;q=0.8]
TypeRequestMatcher : Processing text/html
TypeRequestMatcher : application/xhtml+xml .isCompatibleWith text/html = false
TypeRequestMatcher : image/* .isCompatibleWith text/html = false
TypeRequestMatcher : text/html .isCompatibleWith text/html = true
her.AndRequestMatcher : All requestMatchers returned true
uthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@20728225
RedirectStrategy : Redirecting to 'http://localhost:8080/login'
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
curityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/login'; against '/VAADIN/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/favicon.ico'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/robots.txt'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/manifest.webmanifest'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/sw.js'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/offline-page.html'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/icons/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/images/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/frontend/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/webjars/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/h2-console/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/frontend-es5/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/frontend-es6/**'
FilterChainProxy : /login at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
FilterChainProxy : /login at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
curityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
curityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@2fe150b5. A new one will be created.
FilterChainProxy : /login at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
FilterChainProxy : /login at position 4 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
.AntPathRequestMatcher : Checking match of request : '/login'; against '/logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
.AntPathRequestMatcher : Request 'GET /login' doesn't match 'POST /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
.AntPathRequestMatcher : Request 'GET /login' doesn't match 'PUT /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
.AntPathRequestMatcher : Request 'GET /login' doesn't match 'DELETE /logout'
tcher.OrRequestMatcher : No matches found
FilterChainProxy : /login at position 5 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/oauth2/authorization/{registrationId}'
FilterChainProxy : /login at position 6 of 15 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/login/oauth2/code/*'
FilterChainProxy : /login at position 7 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
.AntPathRequestMatcher : Request 'GET /login' doesn't match 'POST /login'
FilterChainProxy : /login at position 8 of 15 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
curityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/VAADIN/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/favicon.ico'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/robots.txt'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/manifest.webmanifest'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/sw.js'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/offline-page.html'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/icons/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/images/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/frontend/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/webjars/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/h2-console/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/frontend-es5/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/frontend-es6/**'
FilterChainProxy : /oauth2/authorization/github at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
FilterChainProxy : /oauth2/authorization/github at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
curityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
curityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@2fe150b5. A new one will be created.
FilterChainProxy : /oauth2/authorization/github at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
FilterChainProxy : /oauth2/authorization/github at position 4 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
.AntPathRequestMatcher : Request 'GET /oauth2/authorization/github' doesn't match 'POST /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
.AntPathRequestMatcher : Request 'GET /oauth2/authorization/github' doesn't match 'PUT /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
.AntPathRequestMatcher : Request 'GET /oauth2/authorization/github' doesn't match 'DELETE /logout'
tcher.OrRequestMatcher : No matches found
FilterChainProxy : /oauth2/authorization/github at position 5 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/oauth2/authorization/{registrationId}'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/oauth2/authorization/{registrationId}'
RedirectStrategy : Redirecting to 'https://github.com/login/oauth/authorize?response_type=code&client_id=3a39e84cc95590698a1b&scope=read:user&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D&redirect_uri=http://localhost:8080/login/oauth2/code/github'
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
curityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/VAADIN/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/favicon.ico'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/robots.txt'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/manifest.webmanifest'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/sw.js'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/offline-page.html'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/icons/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/images/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/frontend/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/webjars/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/h2-console/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/frontend-es5/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/frontend-es6/**'
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
curityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
curityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@2fe150b5. A new one will be created.
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 4 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
.AntPathRequestMatcher : Request 'GET /login/oauth2/code/github' doesn't match 'POST /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
.AntPathRequestMatcher : Request 'GET /login/oauth2/code/github' doesn't match 'PUT /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
.AntPathRequestMatcher : Request 'GET /login/oauth2/code/github' doesn't match 'DELETE /logout'
tcher.OrRequestMatcher : No matches found
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 5 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/oauth2/authorization/{registrationId}'
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 6 of 15 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/login/oauth2/code/*'
ginAuthenticationFilter : Request is to process authentication
ion.ProviderManager : Authentication attempt using org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider
stTemplate : HTTP POST https://github.com/login/oauth/access_token
stTemplate : Accept=[application/json, application/*+json]
stTemplate : Writing [{grant_type=[authorization_code], code=[c8b1870a2477fef6f032], redirect_uri=[http://localhost:8080/login/oauth2/code/github]}] as "application/x-www-form-urlencoded;charset=UTF-8"
stTemplate : Response 200 OK
stTemplate : Reading to [org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse] as "application/json;charset=utf-8"
stTemplate : HTTP GET https://api.github.com/user
stTemplate : Accept=[application/json, application/*+json]
stTemplate : Response 200 OK
stTemplate : Reading to [java.util.Map<java.lang.String, java.lang.Object>]
nAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@10bebcb4
ginAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken@19bf8c7c
nticationSuccessHandler : Redirecting to DefaultSavedRequest Url: http://localhost:8080/
RedirectStrategy : Redirecting to 'http://localhost:8080/'
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
curityContextRepository : SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@19bf8c7c'
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/'; against '/VAADIN/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/favicon.ico'
.AntPathRequestMatcher : Checking match of request : '/'; against '/robots.txt'
.AntPathRequestMatcher : Checking match of request : '/'; against '/manifest.webmanifest'
.AntPathRequestMatcher : Checking match of request : '/'; against '/sw.js'
.AntPathRequestMatcher : Checking match of request : '/'; against '/offline-page.html'
.AntPathRequestMatcher : Checking match of request : '/'; against '/icons/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/images/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/frontend/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/webjars/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/h2-console/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/frontend-es5/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/frontend-es6/**'
FilterChainProxy : / at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
FilterChainProxy : / at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
curityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@19bf8c7c'
FilterChainProxy : / at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
FilterChainProxy : / at position 4 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
.AntPathRequestMatcher : Request 'GET /' doesn't match 'POST /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
.AntPathRequestMatcher : Request 'GET /' doesn't match 'PUT /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
.AntPathRequestMatcher : Request 'GET /' doesn't match 'DELETE /logout'
tcher.OrRequestMatcher : No matches found
FilterChainProxy : / at position 5 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
.AntPathRequestMatcher : Checking match of request : '/'; against '/oauth2/authorization/{registrationId}'
FilterChainProxy : / at position 6 of 15 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
.AntPathRequestMatcher : Checking match of request : '/'; against '/login/oauth2/code/*'
FilterChainProxy : / at position 7 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
.AntPathRequestMatcher : Request 'GET /' doesn't match 'POST /login'
FilterChainProxy : / at position 8 of 15 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
FilterChainProxy : / at position 9 of 15 in additional filter chain; firing Filter: 'DefaultLogoutPageGeneratingFilter'
.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
FilterChainProxy : / at position 10 of 15 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
SavedRequest : pathInfo: both null (property equals)
SavedRequest : queryString: both null (property equals)
SavedRequest : requestURI: arg1=/; arg2=/ (property equals)
SavedRequest : serverPort: arg1=8080; arg2=8080 (property equals)
SavedRequest : requestURL: arg1=http://localhost:8080/; arg2=http://localhost:8080/ (property equals)
SavedRequest : scheme: arg1=http; arg2=http (property equals)
SavedRequest : serverName: arg1=localhost; arg2=localhost (property equals)
SavedRequest : contextPath: arg1=; arg2= (property equals)
SavedRequest : servletPath: arg1=/; arg2=/ (property equals)
FilterChainProxy : / at position 11 of 15 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
FilterChainProxy : / at position 12 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
FilterChainProxy : / at position 13 of 15 in additional filter chain; firing Filter: 'SessionManagementFilter'
FilterChainProxy : / at position 14 of 15 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
FilterChainProxy : / at position 15 of 15 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
rSecurityInterceptor : Secure object: FilterInvocation: URL: /; Attributes: [authenticated]
.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@201c9f26, returned: 1
rSecurityInterceptor : Authorization successful
rSecurityInterceptor : RunAsManager did not change Authentication object
FilterChainProxy : / reached end of additional filter chain; proceeding with original chain
ispatcherServlet : GET "/", parameters={}
impleUrlHandlerMapping : Mapped to org.springframework.web.servlet.mvc.ServletForwardingController@46beee3b
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
ispatcherServlet : Completed 200 OK
onTranslationFilter : Chain processed normally
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/VAADIN/build/webcomponentsjs/webcomponents-loader.js'; against '/VAADIN/**'
FilterChainProxy : /VAADIN/build/webcomponentsjs/webcomponents-loader.js has an empty filter list
ispatcherServlet : GET "/VAADIN/build/webcomponentsjs/webcomponents-loader.js", parameters={}
impleUrlHandlerMapping : Mapped to org.springframework.web.servlet.mvc.ServletForwardingController@46beee3b
您可能已经被 Vaadin tutorial 咬伤了,如果您在您的应用程序中使用它的示例代码,基本上已经从整体等式中删除了您的 antmatchers 和 http 配置属性。
问题出在classConfigureUIServiceInitListener.java
private void beforeEnter(BeforeEnterEvent event) {
if (!LoginView.class.equals(event.getNavigationTarget()) //
&& !SecurityUtils.isUserLoggedIn()) { //
event.rerouteTo(LoginView.class); //
}
}
我 运行 在尝试使注册页面正常工作时遇到了类似的问题。所有未经授权的请求都被重定向到登录 url。如果您采纳了他们的建议并使用它来保护 Vaadin 登录:class,除非您在 class 的这种方法中执行类似的操作,否则您将无法更改此设置:
private void beforeEnter(BeforeEnterEvent event) {
if (!LoginView.class.equals(event.getNavigationTarget()) && !**RegisterView.class.equals**(event.getNavigationTarget())//
&& !SecurityUtils.isUserLoggedIn()) { //
event.rerouteTo(LoginView.class); //
}
}
显然,我们的用例略有不同。但这是您必须创建异常情况的地方,否则 beforeEnter 方法将只允许经过身份验证的请求访问内部框架事件。 LoginView 以外的任何内容都将重定向到 /login。您所有试图通过 spring 安全性来允许您的 url 被尚未经过身份验证的用户访问的所有尝试都将徒劳无功!
从某种意义上说,这非常烦人,因为必须配置 http 安全性,然后确保他们已在此方法中添加任何新的例外。
我正在尝试在 vaadin 14 + spring 引导应用程序中包含 'third-party' url,即 spring- 的重定向 url “/oauth2/authorization/github”上单点登录的安全性。 然而,vaadin servlet 似乎拦截了这个 url 并显示一条错误消息,指出路由未知。
Could not navigate to 'oauth2/authorization/github'
Reason: Couldn't find route for 'oauth2/authorization/github'
如何防止这种情况发生,以便达到 oauth2 url?我检查了 vaadin 文档,但没有找到有关如何从常规路由器导航机制中排除特定路径的信息。 spring-boot oauth2 教程来自官方 spring 站点 https://spring.io/guides/tutorials/spring-boot-oauth2/ 并添加了以下依赖项:
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>vaadin</artifactId>
</dependency>
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>vaadin-spring-boot-starter</artifactId>
</dependency>
WebSecurityConfigurerAdapter 已正确安装,因为标准 spring-security 在页面的根“/”上显示了上述 GitHub Auth link。同样对于根页面,未显示未知路由错误。
我也尝试了 https://vaadin.com/learn/tutorials/securing-your-app-with-spring-security/setting-up-spring-security 中的示例,它适用于常规登录页面,但再次阻止访问 oauth2 link。
是否需要实施分派此请求的过滤器,或者是否可以在某处配置排除?
编辑: 这里是 WebSecurityAdapterConfigurer
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
// Register our CustomRequestCache, that saves unauthorized access attempts, so
// the user is redirected after login.
.requestCache().requestCache(new CustomRequestCache())
// Restrict access to our application.
.and().authorizeRequests()
// Allow all flow internal requests.
.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
// Allow all requests by logged in users.
.anyRequest().authenticated()
// Configure the login page.
.and().oauth2Login()
.and().formLogin().loginPage(LOGIN_URL).permitAll().loginProcessingUrl(LOGIN_PROCESSING_URL)
.failureUrl(LOGIN_FAILURE_URL)
// Configure logout
.and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL);
}
@Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers(
// Vaadin Flow static resources
"/VAADIN/**",
// the standard favicon URI
"/favicon.ico",
// the robots exclusion standard
"/robots.txt",
// web application manifest
"/manifest.webmanifest",
"/sw.js",
"/offline-page.html",
// icons and images
"/icons/**",
"/images/**",
// (development mode) static resources
"/frontend/**",
// (development mode) webjars
"/webjars/**",
// (development mode) H2 debugging console
"/h2-console/**",
// (production mode) static resources
"/frontend-es5/**", "/frontend-es6/**",
// oauth2
"/user/**",
"/oauth2/**"
);
}
查看@anasmi 评论的教程后发现,包含 oauth antmatcher 的 WebSecurity 配置首先是错误的。
现在可以观察到的效果是 spring security oauth2 过滤器转发到 /login,它不显示为 vaadin 路由配置的页面,而是默认的授权 link github.
如果有助于理解正在发生的事情,请查看调试日志:
onTranslationFilter : Calling Authentication entry point.
uthenticationEntryPoint : Trying to match using AndRequestMatcher [requestMatchers=[NegatedRequestMatcher [requestMatcher=RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@5be8fdbf, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]
her.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]]
.NegatedRequestMatcher : matches = true
her.AndRequestMatcher : Trying to match using MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@5be8fdbf, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]
TypeRequestMatcher : httpRequestMediaTypes=[text/html, application/xhtml+xml, image/webp, application/xml;q=0.9, */*;q=0.8]
TypeRequestMatcher : Processing text/html
TypeRequestMatcher : application/xhtml+xml .isCompatibleWith text/html = false
TypeRequestMatcher : image/* .isCompatibleWith text/html = false
TypeRequestMatcher : text/html .isCompatibleWith text/html = true
her.AndRequestMatcher : All requestMatchers returned true
uthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@20728225
RedirectStrategy : Redirecting to 'http://localhost:8080/login'
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
curityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/login'; against '/VAADIN/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/favicon.ico'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/robots.txt'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/manifest.webmanifest'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/sw.js'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/offline-page.html'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/icons/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/images/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/frontend/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/webjars/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/h2-console/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/frontend-es5/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/frontend-es6/**'
FilterChainProxy : /login at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
FilterChainProxy : /login at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
curityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
curityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@2fe150b5. A new one will be created.
FilterChainProxy : /login at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
FilterChainProxy : /login at position 4 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
.AntPathRequestMatcher : Checking match of request : '/login'; against '/logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
.AntPathRequestMatcher : Request 'GET /login' doesn't match 'POST /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
.AntPathRequestMatcher : Request 'GET /login' doesn't match 'PUT /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
.AntPathRequestMatcher : Request 'GET /login' doesn't match 'DELETE /logout'
tcher.OrRequestMatcher : No matches found
FilterChainProxy : /login at position 5 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/oauth2/authorization/{registrationId}'
FilterChainProxy : /login at position 6 of 15 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/login/oauth2/code/*'
FilterChainProxy : /login at position 7 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
.AntPathRequestMatcher : Request 'GET /login' doesn't match 'POST /login'
FilterChainProxy : /login at position 8 of 15 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
curityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/VAADIN/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/favicon.ico'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/robots.txt'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/manifest.webmanifest'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/sw.js'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/offline-page.html'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/icons/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/images/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/frontend/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/webjars/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/h2-console/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/frontend-es5/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/frontend-es6/**'
FilterChainProxy : /oauth2/authorization/github at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
FilterChainProxy : /oauth2/authorization/github at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
curityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
curityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@2fe150b5. A new one will be created.
FilterChainProxy : /oauth2/authorization/github at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
FilterChainProxy : /oauth2/authorization/github at position 4 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
.AntPathRequestMatcher : Request 'GET /oauth2/authorization/github' doesn't match 'POST /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
.AntPathRequestMatcher : Request 'GET /oauth2/authorization/github' doesn't match 'PUT /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
.AntPathRequestMatcher : Request 'GET /oauth2/authorization/github' doesn't match 'DELETE /logout'
tcher.OrRequestMatcher : No matches found
FilterChainProxy : /oauth2/authorization/github at position 5 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/oauth2/authorization/{registrationId}'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/oauth2/authorization/{registrationId}'
RedirectStrategy : Redirecting to 'https://github.com/login/oauth/authorize?response_type=code&client_id=3a39e84cc95590698a1b&scope=read:user&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D&redirect_uri=http://localhost:8080/login/oauth2/code/github'
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
curityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/VAADIN/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/favicon.ico'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/robots.txt'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/manifest.webmanifest'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/sw.js'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/offline-page.html'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/icons/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/images/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/frontend/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/webjars/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/h2-console/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/frontend-es5/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/frontend-es6/**'
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
curityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
curityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@2fe150b5. A new one will be created.
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 4 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
.AntPathRequestMatcher : Request 'GET /login/oauth2/code/github' doesn't match 'POST /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
.AntPathRequestMatcher : Request 'GET /login/oauth2/code/github' doesn't match 'PUT /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
.AntPathRequestMatcher : Request 'GET /login/oauth2/code/github' doesn't match 'DELETE /logout'
tcher.OrRequestMatcher : No matches found
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 5 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/oauth2/authorization/{registrationId}'
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 6 of 15 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/login/oauth2/code/*'
ginAuthenticationFilter : Request is to process authentication
ion.ProviderManager : Authentication attempt using org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider
stTemplate : HTTP POST https://github.com/login/oauth/access_token
stTemplate : Accept=[application/json, application/*+json]
stTemplate : Writing [{grant_type=[authorization_code], code=[c8b1870a2477fef6f032], redirect_uri=[http://localhost:8080/login/oauth2/code/github]}] as "application/x-www-form-urlencoded;charset=UTF-8"
stTemplate : Response 200 OK
stTemplate : Reading to [org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse] as "application/json;charset=utf-8"
stTemplate : HTTP GET https://api.github.com/user
stTemplate : Accept=[application/json, application/*+json]
stTemplate : Response 200 OK
stTemplate : Reading to [java.util.Map<java.lang.String, java.lang.Object>]
nAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@10bebcb4
ginAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken@19bf8c7c
nticationSuccessHandler : Redirecting to DefaultSavedRequest Url: http://localhost:8080/
RedirectStrategy : Redirecting to 'http://localhost:8080/'
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
curityContextRepository : SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@19bf8c7c'
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/'; against '/VAADIN/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/favicon.ico'
.AntPathRequestMatcher : Checking match of request : '/'; against '/robots.txt'
.AntPathRequestMatcher : Checking match of request : '/'; against '/manifest.webmanifest'
.AntPathRequestMatcher : Checking match of request : '/'; against '/sw.js'
.AntPathRequestMatcher : Checking match of request : '/'; against '/offline-page.html'
.AntPathRequestMatcher : Checking match of request : '/'; against '/icons/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/images/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/frontend/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/webjars/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/h2-console/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/frontend-es5/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/frontend-es6/**'
FilterChainProxy : / at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
FilterChainProxy : / at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
curityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@19bf8c7c'
FilterChainProxy : / at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
FilterChainProxy : / at position 4 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
.AntPathRequestMatcher : Request 'GET /' doesn't match 'POST /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
.AntPathRequestMatcher : Request 'GET /' doesn't match 'PUT /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
.AntPathRequestMatcher : Request 'GET /' doesn't match 'DELETE /logout'
tcher.OrRequestMatcher : No matches found
FilterChainProxy : / at position 5 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
.AntPathRequestMatcher : Checking match of request : '/'; against '/oauth2/authorization/{registrationId}'
FilterChainProxy : / at position 6 of 15 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
.AntPathRequestMatcher : Checking match of request : '/'; against '/login/oauth2/code/*'
FilterChainProxy : / at position 7 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
.AntPathRequestMatcher : Request 'GET /' doesn't match 'POST /login'
FilterChainProxy : / at position 8 of 15 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
FilterChainProxy : / at position 9 of 15 in additional filter chain; firing Filter: 'DefaultLogoutPageGeneratingFilter'
.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
FilterChainProxy : / at position 10 of 15 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
SavedRequest : pathInfo: both null (property equals)
SavedRequest : queryString: both null (property equals)
SavedRequest : requestURI: arg1=/; arg2=/ (property equals)
SavedRequest : serverPort: arg1=8080; arg2=8080 (property equals)
SavedRequest : requestURL: arg1=http://localhost:8080/; arg2=http://localhost:8080/ (property equals)
SavedRequest : scheme: arg1=http; arg2=http (property equals)
SavedRequest : serverName: arg1=localhost; arg2=localhost (property equals)
SavedRequest : contextPath: arg1=; arg2= (property equals)
SavedRequest : servletPath: arg1=/; arg2=/ (property equals)
FilterChainProxy : / at position 11 of 15 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
FilterChainProxy : / at position 12 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
FilterChainProxy : / at position 13 of 15 in additional filter chain; firing Filter: 'SessionManagementFilter'
FilterChainProxy : / at position 14 of 15 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
FilterChainProxy : / at position 15 of 15 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
rSecurityInterceptor : Secure object: FilterInvocation: URL: /; Attributes: [authenticated]
.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@201c9f26, returned: 1
rSecurityInterceptor : Authorization successful
rSecurityInterceptor : RunAsManager did not change Authentication object
FilterChainProxy : / reached end of additional filter chain; proceeding with original chain
ispatcherServlet : GET "/", parameters={}
impleUrlHandlerMapping : Mapped to org.springframework.web.servlet.mvc.ServletForwardingController@46beee3b
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
ispatcherServlet : Completed 200 OK
onTranslationFilter : Chain processed normally
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/VAADIN/build/webcomponentsjs/webcomponents-loader.js'; against '/VAADIN/**'
FilterChainProxy : /VAADIN/build/webcomponentsjs/webcomponents-loader.js has an empty filter list
ispatcherServlet : GET "/VAADIN/build/webcomponentsjs/webcomponents-loader.js", parameters={}
impleUrlHandlerMapping : Mapped to org.springframework.web.servlet.mvc.ServletForwardingController@46beee3b
您可能已经被 Vaadin tutorial 咬伤了,如果您在您的应用程序中使用它的示例代码,基本上已经从整体等式中删除了您的 antmatchers 和 http 配置属性。
问题出在classConfigureUIServiceInitListener.java
private void beforeEnter(BeforeEnterEvent event) {
if (!LoginView.class.equals(event.getNavigationTarget()) //
&& !SecurityUtils.isUserLoggedIn()) { //
event.rerouteTo(LoginView.class); //
}
}
我 运行 在尝试使注册页面正常工作时遇到了类似的问题。所有未经授权的请求都被重定向到登录 url。如果您采纳了他们的建议并使用它来保护 Vaadin 登录:class,除非您在 class 的这种方法中执行类似的操作,否则您将无法更改此设置:
private void beforeEnter(BeforeEnterEvent event) {
if (!LoginView.class.equals(event.getNavigationTarget()) && !**RegisterView.class.equals**(event.getNavigationTarget())//
&& !SecurityUtils.isUserLoggedIn()) { //
event.rerouteTo(LoginView.class); //
}
}
显然,我们的用例略有不同。但这是您必须创建异常情况的地方,否则 beforeEnter 方法将只允许经过身份验证的请求访问内部框架事件。 LoginView 以外的任何内容都将重定向到 /login。您所有试图通过 spring 安全性来允许您的 url 被尚未经过身份验证的用户访问的所有尝试都将徒劳无功!
从某种意义上说,这非常烦人,因为必须配置 http 安全性,然后确保他们已在此方法中添加任何新的例外。