这个问题在这里已有答案:
我有一个公开“api”服务和“web”页面的应用程序。所以,我根据 Spring 的文档(以及其他各种 SO 帖子)配置了 httpbasic 和 formlogin
-
http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity
-
用于 Web 的 RESTFul 和 FormLogin(Cookies)的 Spring Security HTTP Basic - 注释
以下是我的自定义 Web 安全配置程序代码
@EnableWebSecurity
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {
private final Logger log = LoggerFactory.getLogger(this.getClass());
@Autowired
private MyAuthenticationProvider myAuthenticationProvider;
@Autowired
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(myAuthenticationProvider);
}
@Configuration
@Order(1)
public static class BasicAuthentication extends WebSecurityConfigurerAdapter{
private final Logger log = LoggerFactory.getLogger(this.getClass());
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/myapp/api/**").authenticated()
.and() // Permit access for all to login REST service
.httpBasic()
.authenticationEntryPoint(new MyAuthenticationFailurePoint());
}
}
@Configuration
@Order(2)
public static class FormAuthentication extends WebSecurityConfigurerAdapter{
private final Logger log = LoggerFactory.getLogger(this.getClass());
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/myapp/web/**").authenticated()
.and()
.formLogin()
.loginPage("/myapp/web/login")
.permitAll()
.and()
.logout()
.logoutUrl("/myapp/web/logout")
.permitAll();
}
}
}
使用此代码,当我使用(GET)“http:/ /localhost:8083/myapp/api/getIds”时,逻辑按预期工作,并调用我的自定义身份验证提供程序。请在下面找到日志供您参考
[DEBUG] 2016-12-21 04:36:08.878 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
[DEBUG] 2016-12-21 04:36:08.904 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[DEBUG] 2016-12-21 04:36:08.928 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
[DEBUG] 2016-12-21 04:36:08.928 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
[DEBUG] 2016-12-21 04:36:09.029 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
[DEBUG] 2016-12-21 04:36:09.030 org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@3b41e91a
[DEBUG] 2016-12-21 04:36:09.030 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
[DEBUG] 2016-12-21 04:36:09.030 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/api/getids'; against '/logout'
[DEBUG] 2016-12-21 04:36:09.030 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
[DEBUG] 2016-12-21 04:36:09.089 org.springframework.security.web.authentication.www.BasicAuthenticationFilter - Basic Authentication Authorization header found for user 'testuser'
[DEBUG] 2016-12-21 04:36:09.166 org.springframework.security.authentication.ProviderManager - Authentication attempt using com.myapp.inf.authenticator.MyAuthenticationProvider
[TRACE] 2016-12-21 04:36:33.498 org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext - Publishing event in org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@13330ac6: org.springframework.security.authentication.event.AuthenticationSuccessEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities]
[DEBUG] 2016-12-21 04:36:33.498 org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
[DEBUG] 2016-12-21 04:36:33.499 org.springframework.security.web.authentication.www.BasicAuthenticationFilter - Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities
[DEBUG] 2016-12-21 04:36:33.499 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[DEBUG] 2016-12-21 04:36:33.499 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[DEBUG] 2016-12-21 04:36:33.551 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[DEBUG] 2016-12-21 04:36:33.551 org.springframework.security.web.authentication.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities'
[DEBUG] 2016-12-21 04:36:33.551 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
[DEBUG] 2016-12-21 04:36:33.551 org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@46bf4560
[DEBUG] 2016-12-21 04:36:33.583 org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession being created as SecurityContext is non-default
[DEBUG] 2016-12-21 04:36:33.835 org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@fa787cf9: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade@2c175127
[DEBUG] 2016-12-21 04:36:33.835 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[DEBUG] 2016-12-21 04:36:33.835 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[DEBUG] 2016-12-21 04:36:33.860 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/api/getids'; against '/myapp/api/**'
[DEBUG] 2016-12-21 04:36:33.860 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /myapp/api/getIds; Attributes: [authenticated]
[DEBUG] 2016-12-21 04:36:33.860 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fa787cf9: Principal: testuser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities
[DEBUG] 2016-12-21 04:36:34.082 org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5169d120, returned: 1
[DEBUG] 2016-12-21 04:36:34.082 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Authorization successful
[DEBUG] 2016-12-21 04:36:34.082 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - RunAsManager did not change Authentication object
[DEBUG] 2016-12-21 04:36:34.083 org.springframework.security.web.FilterChainProxy - /myapp/api/getIds reached end of additional filter chain; proceeding with original chain
现在,当我点击(从浏览器)“http:/ /localhost:8083/myapp/web/MainConsole”时,我没有被提示输入登录页面。请在下面找到此热门的日志。它们表明 spring boot 正在使用“httpbasic”配置进行此命中
[DEBUG] 2016-12-21 04:41:30.179 [http-nio-8083-exec-3] org.springframework.boot.context.web.OrderedRequestContextFilter - Bound request context to thread: org.apache.catalina.connector.RequestFacade@26ff703a
[DEBUG] 2016-12-21 04:41:30.179 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
[DEBUG] 2016-12-21 04:41:30.179 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@3b41e91a
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/web/mainconsole'; against '/logout'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[DEBUG] 2016-12-21 04:41:30.187 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[DEBUG] 2016-12-21 04:41:30.188 [http-nio-8083-exec-3] org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
[DEBUG] 2016-12-21 04:41:30.188 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
[DEBUG] 2016-12-21 04:41:30.188 [http-nio-8083-exec-3] org.springframework.security.web.session.SessionManagementFilter - Requested session ID 2E28DB9D6699424055855E4F28D7AF9A is invalid.
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/web/mainconsole'; against '/myapp/api/**'
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Public object - authentication not attempted
[TRACE] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext - Publishing event in org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@13330ac6: org.springframework.security.access.event.PublicInvocationEvent[source=FilterInvocation: URL: /myapp/web/MainConsole]
[DEBUG] 2016-12-21 04:41:30.189 [http-nio-8083-exec-3] org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
[DEBUG] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole reached end of additional filter chain; proceeding with original chain
[TRACE] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Bound request context to thread: SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.context.HttpSessionSecurityContextRepository$Servlet3SaveToSessionRequestWrapper@1274a368]
[DEBUG] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'dispatcherServlet' processing GET request for [/myapp/web/MainConsole]
[TRACE] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Testing handler map [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping@219e6d9f] in DispatcherServlet with name 'dispatcherServlet'
[TRACE] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - No handler mapping found for [/myapp/web/MainConsole]
[TRACE] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Testing handler map [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping@5afb11fb] in DispatcherServlet with name 'dispatcherServlet'
[DEBUG] 2016-12-21 04:41:30.190 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Looking up handler method for path /myapp/web/MainConsole
[TRACE] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Found 1 matching mapping(s) for [/myapp/web/MainConsole] : [{[/myapp/web/MainConsole]}]
[DEBUG] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Returning handler method [public java.lang.String com.myapp.core.controllers.web.MainConsole.showMainConsole()]
[DEBUG] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'mainConsole'
[TRACE] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Testing handler adapter [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter@718cb880]
[DEBUG] 2016-12-21 04:41:30.191 [http-nio-8083-exec-3] org.springframework.web.servlet.DispatcherServlet - Last-Modified value for [/myapp/web/MainConsole] is: -1
[TRACE] 2016-12-21 04:41:30.193 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod - Invoking [MainConsole.showMainConsole] method with arguments []
[TRACE] 2016-12-21 04:41:30.194 [http-nio-8083-exec-3] org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod - Method [showMainConsole] returned [home]
[DEBUG] 2016-12-21 04:41:30.230 [http-nio-8083-exec-3] org.springframework.web.servlet.view.ContentNegotiatingViewResolver - Requested media types are [text/html, application/xhtml+xml, image/webp, application/xml;q=0.9, */*;q=0.8] based on Accept header types and producible media types [*/*])
[DEBUG] 2016-12-21 04:41:30.230 [http-nio-8083-exec-3] org.springframework.web.servlet.view.BeanNameViewResolver - No matching bean found for view name 'home'
然后,我在“httpbasic”和“formlogin”和 re-executed“http:/ /localhost:8083/myapp/web/MainConsole”上交换了订单。现在,调用正确的过滤器 - UsernamePasswordAuthenticationFilter。 BUt,“api”点击现在不起作用了。
[DEBUG] 2016-12-21 04:52:56.357 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
[DEBUG] 2016-12-21 04:52:56.383 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[DEBUG] 2016-12-21 04:52:56.409 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
[DEBUG] 2016-12-21 04:52:56.410 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
[DEBUG] 2016-12-21 04:52:56.514 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
[DEBUG] 2016-12-21 04:52:56.515 org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@32c4de26
[DEBUG] 2016-12-21 04:52:56.515 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /myapp/web/mainconsole' doesn't match 'POST /myapp/logout
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /myapp/web/mainconsole' doesn't match 'POST /myapp/login
[DEBUG] 2016-12-21 04:52:56.567 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[DEBUG] 2016-12-21 04:52:56.568 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[DEBUG] 2016-12-21 04:52:56.623 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[DEBUG] 2016-12-21 04:52:56.702 org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
[DEBUG] 2016-12-21 04:52:56.703 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
[DEBUG] 2016-12-21 04:52:56.703 org.springframework.security.web.session.SessionManagementFilter - Requested session ID 2E28DB9D6699424055855E4F28D7AF9A is invalid.
[DEBUG] 2016-12-21 04:52:56.703 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[DEBUG] 2016-12-21 04:52:56.703 org.springframework.security.web.FilterChainProxy - /myapp/web/MainConsole at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[DEBUG] 2016-12-21 04:52:56.728 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /myapp/web/mainconsole' doesn't match 'POST /myapp/logout
[DEBUG] 2016-12-21 04:52:56.728 org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/myapp/web/mainconsole'; against '/myapp/web/**'
[DEBUG] 2016-12-21 04:52:56.729 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /myapp/web/MainConsole; Attributes: [authenticated]
[DEBUG] 2016-12-21 04:52:56.729 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
[DEBUG] 2016-12-21 04:52:56.930 org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@9d78e5c, returned: -1
[TRACE] 2016-12-21 04:52:56.931 org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext - Publishing event in org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@13330ac6: org.springframework.security.access.event.AuthorizationFailureEvent[source=FilterInvocation: URL: /myapp/web/MainConsole]
[DEBUG] 2016-12-21 04:52:56.931 org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
[DEBUG] 2016-12-21 04:52:56.932 org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
为什么 httpsbasic 始终优先,无论与 formlogin 匹配的 URL 模式如何?
1 回答
因为你将 api 顺序设置为 1,所以它总是在 API 过滤 chain.Change api 配置到此。这将首先匹配请求路径。