如何解决Spring Security、基本身份验证和匿名
我在 Spring Security 和基本身份验证方面遇到了一个非常奇怪的问题。我基本上想用基本身份验证来保护 swagger ui。一切正常(无需身份验证),直到我在 spring 配置中引入以下内容:
<http pattern="/swagger*/**" xmlns="http://www.springframework.org/schema/security"
authentication-manager-ref="basicAuthenticationManager">
<http-basic />
<intercept-url pattern="/swagger*/**" access="isAuthenticated()" />
</http>
由于权限被拒绝,这会导致 404,日志显示:
DEBUG [HTTP38] [ExceptionTranslationFilter] Chain processed normally
DEBUG [HTTP22] [AntPathRequestMatcher] Checking match of request : '/swagger-ui.html'; against '/swagger*/**'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [HTTP22] [HttpSessionSecurityContextRepository] No HttpSession currently exists
DEBUG [HTTP22] [HttpSessionSecurityContextRepository] No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG [HTTP22] [HttpSessionRequestCache] saved request doesn't match
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [HTTP22] [AnonymousAuthenticationFilter] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@4f862d10: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [HTTP22] [FilterChainProxy] /swagger-ui.html at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [HTTP22] [AntPathRequestMatcher] Checking match of request : '/swagger-ui.html'; against '/swagger*/**'
DEBUG [HTTP22] [FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /swagger-ui.html; Attributes: [isAuthenticated()]
DEBUG [HTTP22] [FilterSecurityInterceptor] PrevIoUsly Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@4f862d10: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG [HTTP22] [AffirmativeBased] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@10de9715,returned: -1
DEBUG [HTTP22] [ExceptionTranslationFilter] Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.Vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) [spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
因此 AnonymousAuthFilter 似乎设置了由于 access="isAuthenticated()"
而不允许的匿名。
<http pattern="/swagger*/**" xmlns="http://www.springframework.org/schema/security"
authentication-manager-ref="basicAuthenticationManager">
<http-basic />
<intercept-url pattern="/swagger*/**" access="isAuthenticated()" />
<anonymous enabled="false" />
</http>
它会抱怨缺少 auth 对象(在 SecurityContext 中找不到 Authentication 对象):
DEBUG [HTTP15] [ExceptionTranslationFilter] Chain processed normally
DEBUG [HTTP25] [AntPathRequestMatcher] Checking match of request : '/swagger-ui.html'; against '/swagger*/**'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [HTTP25] [HttpSessionSecurityContextRepository] No HttpSession currently exists
DEBUG [HTTP25] [HttpSessionSecurityContextRepository] No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 2 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 4 of 10 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 5 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 6 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG [HTTP25] [HttpSessionRequestCache] saved request doesn't match
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 7 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [HTTP25] [FilterChainProxy] /swagger-ui.html at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [HTTP25] [AntPathRequestMatcher] Checking match of request : '/swagger-ui.html'; against '/swagger*/**'
DEBUG [HTTP25] [FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /swagger-ui.html; Attributes: [isAuthenticated()]
DEBUG [HTTP25] [ExceptionTranslationFilter] Authentication exception occurred; redirecting to authentication entry point
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:379) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:223) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
....
我想指出:
- 这是一个大型企业应用程序,它周围有很多东西。然而,网络上下文的范围非常狭窄,我真的删除了几乎所有其他内容。
- 这曾经奏效。我改变的是 web.xml 中的映射。之前是 /v2/* 映射到 springmvc-servlet,现在是 /*。
有什么想法吗?对我来说,这似乎是正确的,而且在日志中看起来也不错 - 它只是从不要求基本身份验证。
欢迎任何输入。
谢谢你和BR
达里奥
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。