Keamanan pegas tidak lagi dialihkan ke halaman login setelah peningkatan ke dari Spring Boot 1.5-2, Spring Security 4-5

Saya memiliki aplikasi OAUTH2 tempat titik akhir oauth2 diamankan oleh Spring Security, sehingga beberapa halaman dilindungi oleh login berbasis formulir.

Sebelumnya jika saya menekan salah satu URL ini, saya dialihkan dengan benar ke halaman login.

Saya baru saja memutakhirkan dari Spring Boot 1.5.16 ke Spring Boot 2.0.6. menghasilkan peningkatan melalui dependensi Spring Security dari 4.2.8 ke 5.0.9

Sekarang jika saya menekan URL di mana saya tidak masuk, saya hanya mendapatkan halaman seperti ini:

<oauth>
  <error_description>
    Full authentication is required to access this resource
  </error_description>
  <error>unauthorized</error>
</oauth>

Terlebih lagi jika saya mencoba dan menekan halaman login saya tidak berwenang untuk itu. Adakah yang tahu apa penyebabnya? Filter pesanan mungkin?

Seperti inilah konfigurasi keamanan saya:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private final AuthenticationManager authenticationManager;

    private final Environment environment;

    @Autowired
    public SecurityConfig(AuthenticationManager authenticationManager, Environment environment) {
        this.authenticationManager = authenticationManager;
        this.environment = environment;
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().
                headers().frameOptions().disable().and()
                .formLogin().loginPage("/login").permitAll()
                .and()
                .requestMatchers().antMatchers("/login", "/logout", "/oauth/authorize", "/oauth/confirm_access")
                .and()
                .authorizeRequests().anyRequest().authenticated();
    }
}

dan ini adalah rantai filter yang dibuat:

2018-10-19 15:22:10.865  INFO 19012 --- [  restartedMain] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/oauth/token'], Ant [pattern='/oauth/token_key'], Ant [pattern='/oauth/check_token']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@737f44b6, org.springframework.security.web.context.SecurityContextPersistenceFilter@61f7a8e9, org.springframework.security.web.header.HeaderWriterFilter@139be706, org.springframework.security.web.authentication.logout.LogoutFilter@60b40eca, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7467a12, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@4fd13263, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1d003890, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6e762f08, org.springframework.security.web.session.SessionManagementFilter@13f07542, org.springframework.security.web.access.ExceptionTranslationFilter@2e2ecd3a, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@65db717c]
2018-10-19 15:22:10.880  INFO 19012 --- [  restartedMain] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration$NotOAuthRequestMatcher@4432df93, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@c48f5fc, org.springframework.security.web.context.SecurityContextPersistenceFilter@731455ec, org.springframework.security.web.header.HeaderWriterFilter@67e583c6, org.springframework.security.web.authentication.logout.LogoutFilter@7bc67409, org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter@4c112545, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@16762cc2, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5dc67679, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@5473e34c, org.springframework.security.web.session.SessionManagementFilter@4e9d0777, org.springframework.security.web.access.ExceptionTranslationFilter@750210bc, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@d7ab665]
2018-10-19 15:22:10.895  INFO 19012 --- [  restartedMain] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/login'], Ant [pattern='/logout'], Ant [pattern='/oauth/authorize'], Ant [pattern='/oauth/confirm_access']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@22671580, org.springframework.security.web.context.SecurityContextPersistenceFilter@412e0841, org.springframework.security.web.header.HeaderWriterFilter@60f6611f, org.springframework.security.web.authentication.logout.LogoutFilter@24ec00c6, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@1531681a, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@242e419a, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@77833299, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2ea3b229, org.springframework.security.web.session.SessionManagementFilter@38fd683f, org.springframework.security.web.access.ExceptionTranslationFilter@7e4364ca, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@63dad600]
201

spring-boot java spring spring-security
person PaulNUK    schedule 19.10.2018    source sumber
comment
apakah Anda sudah membaca panduan migrasi? (Boot Musim Semi)[github.com/ spring-projects/spring-boot/wiki/ & (Keamanan Musim Semi)[github.com/spring-projects/spring-boot/wiki/   -  person Randy Casburn    schedule 19.10.2018
comment
Ya, tidak ada yang menonjol.   -  person PaulNUK    schedule 19.10.2018
comment
Saya akan meninjau github .com/spring-projects/spring-boot/wiki/ Pada dasarnya keamanan apa pun yang Anda andalkan oleh Boot tidak lagi tersedia di 2.x.   -  person Rob Winch    schedule 19.10.2018
comment
Ternyata itu adalah urutan filter.   -  person PaulNUK    schedule 30.01.2019
comment
@PaulNUK Hai. Maaf, tapi saya tidak dapat menemukan solusi untuk masalah yang disebutkan di atas. Bisakah Anda menjelaskannya karena saya menghadapi masalah yang sama. Terima kasih sebelumnya.   -  person Vibhav Chaddha    schedule 26.04.2019

Jawaban (1)


arrow_upward
2
arrow_downward

Ini Berfungsi untuk Saya

    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

    @Configuration
    @EnableWebSecurity
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable();
            http.authorizeRequests().
            antMatchers("/db*/**").fullyAuthenticated().
            antMatchers("/rest/**").permitAll().
            and().formLogin().  //login configuration
            loginPage("/index.jsf?faces-redirect=true");
        }
    }

dan di url Anda harus memberikan localhost:8080/db/ dan secara otomatis akan diarahkan ke halaman indeks Anda

person Aneesh Mathai    schedule 30.01.2019