search

spring-projects / spring-boot

Spring Boot
https://spring.io/projects/spring-boot
Apache License 2.0
74.37k stars 40.51k forks source link

How can anonymous do a post when configured with springsecurity #15303

Closed chunzhenzyd closed 5 years ago

chunzhenzyd commented 5 years ago

this is my configure:

@Configuration
@EnableWebSecurity
public class MyWebSecurityConfigurer extends WebSecurityConfigurerAdapter {

    private static final Logger logger = LoggerFactory.getLogger(MyWebSecurityConfigurer.class);

    @Autowired
    private MySecurityInterceptor mySecurityInterceptor;

    @Autowired
    private MyAuthenticationSuccessHandler myAuthenticationSuccessHandler;
    @Autowired
    private MyAuthenticationFailureHandler myAuthenticationFailureHandler;

    @Bean
    UserDetailsService customUserService() { // 注册UserDetailsService 的bean
        logger.trace("customUserService()");
        return new MyUserDetailsService();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        logger.trace("configure(AuthenticationManagerBuilder)");
        // user Details Service验证
        auth.userDetailsService(customUserService()).passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        logger.trace("configure(HttpSecurity)");
        http
            .csrf()
                .csrfTokenRepository(new HttpSessionCsrfTokenRepository())
//              .csrfTokenRepository(new CookieCsrfTokenRepository())
//              .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                .ignoringAntMatchers("/login")
            .and()
            .addFilterBefore(mySecurityInterceptor, FilterSecurityInterceptor.class)
            .authorizeRequests()
                .anyRequest().authenticated()
            .and()
            .formLogin()
                .loginPage("/login")
                .successHandler(myAuthenticationSuccessHandler).failureHandler(myAuthenticationFailureHandler)
                .permitAll()
            .and()
            .logout()
                .permitAll();
    }

    /*** 设置不拦截规则 */
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/actuator/**", "/css/**", "terminal/stb/**");
        web.ignoring().antMatchers(HttpMethod.GET);
    }

}

but when I do a post http://localhost:8080/terminal/stb/test, a 302 code returned.

snicoll commented 5 years ago

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add some more details if you feel this is a genuine bug.