带WebSocket的Spring安全-禁止403
我在Spring实现了WebSocket。一切正常,但最近我决定实施SpringSecurity。
我的MessageBroker看起来像:
@Configuration
@EnableWebSocketMessageBroker
@Component("messageBroker")
public class MessageBroker implements WebSocketMessageBrokerConfigurer {
@Override
public void registerStompEndpoints(StompEndpointRegistry stompEndpointRegistry) {
stompEndpointRegistry.addEndpoint("/graphs").withSockJS();
}
@Override
public void configureMessageBroker(MessageBrokerRegistry messageBrokerRegistry) {
}
@Override
public void configureClientInboundChannel(ChannelRegistration channelRegistration) {
}
@Override
public void configureClientOutboundChannel(ChannelRegistration channelRegistration) {
}
@Override
public boolean configureMessageConverters(List<MessageConverter> messageConverters) {
messageConverters.add(new MappingJackson2MessageConverter());
return false;
}
}
我的JS客户看起来像这样:
var socket = new SockJS('/server/graphs');
var client = Stomp.over(socket);
client.connect({}, function (frame) {
client.subscribe("/data", function (message) {
console.log('GET MESSAGE :' + message.body);
var test = JSON.parse(message.body);
var point = [ (new Date()).getTime(), parseInt(25) ];
var shift = randomData.data.length > 60;
randomData.addPoint(point, true, shift);
});
});
Spring Security配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:http auto-config='true' use-expressions="true" disable-url-rewriting="true">
<security:intercept-url pattern="/login/**" access="isAnonymous()"/>
<security:intercept-url pattern="/index/**" access="isAuthenticated()" />
<security:intercept-url pattern="/volumegraph/**" access="isAuthenticated()" />
<security:intercept-url pattern="/graphs/**" access="permitAll()" />
<security:intercept-url pattern="/graphs/**/**" access="permitAll()" />
<security:form-login login-page="/" login-processing-url="/" authentication-failure-url="/" always-use-default-target="true"/>
<security:csrf/>
<security:logout logout-success-url="/login"/>
<security:headers>
<security:frame-options></security:frame-options>
</security:headers>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="user" password="password" authorities="ROLE_USER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
通过我的JS客户端订阅后,我收到:
Opening Web Socket...
sockjs.js:1213 WebSocket connection to 'ws://localhost:8080/server/graphs/651/kyzdihld/websocket' failed: Error during WebSocket handshake: Unexpected response code: 404
sockjs.js:807 POST http://localhost:8080/server/graphs/651/zx7zdre7/xhr_streaming 403 (Forbidden)AbstractXHRObject._start @ sockjs.js:807(anonymous function) @ sockjs.js:834
sockjs.js:807 POST http://localhost:8080/server/graphs/651/o6eg5ikc/xhr 403 (Forbidden)AbstractXHRObject._start @ sockjs.js:807(anonymous function) @ sockjs.js:834
stomp.js:122 Whoops! Lost connection to undefined
所以我决定在安全配置中添加此代码:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:websocket-message-broker>
<!--<security:intercept-message pattern="/graphs/**" access="permitAll()"/>-->
<security:intercept-message pattern="/**" access="permitAll()"/>
<security:intercept-message type="SUBSCRIBE" access="permitAll()"/>
<security:intercept-message type="CONNECT" access="permitAll()"/>
</security:websocket-message-broker>
</beans>
但在那之后我收到这种错误:
NoSuchBeanDefinitionException: No bean named 'springSecurityMessagePathMatcher' is defined
我不知道如何定义这样的bean,所以我创建了以下类:
@Configuration
public class WebSocketSecurityConfig extends AbstractSecurityWebSocketMessageBrokerConfigurer {
protected void configureInbound(MessageSecurityMetadataSourceRegistry messages) {
messages.simpDestMatchers("/graphs/*").permitAll();
messages.simpDestMatchers("/**").permitAll();
}
}
但在编译期间,我收到这种错误:
java: cannot access org.springframework.beans.factory.SmartInitializingSingleton
class file for org.springframework.beans.factory.SmartInitializingSingleton not found
我真的不知道如何解决这个问题:(我必须补充一点,我正在使用SpringCore4.0.1.RELEASE和SpringMessaging4.0.1.RELEASE。所有与SpringSecurity相关的lib都在4.0.1.RELEASE版本中。
共有1个答案
为了使其正常工作,您必须修改
<websocket:message-broker application-destination-prefix="/app" user-destination-prefix="/user" >
<websocket:stomp-endpoint path="/websocketEndPoint" >
<websocket:handshake-handler ref="astalavista" />
<websocket:simple-broker prefix="/topic , /queue" />
<websocket:client-inbound-channel >
<websocket:interceptors>
<!--This will reference your interceptor that you have defined in you security XML-->
<ref bean="interceptor"/>
</websocket:interceptors>
</websocket:client-inbound-channel>
</websocket:message-broker>
-
我有我的spring boot应用程序,我正在尝试添加Spring Security性,但当我通过postman发出请求时,我不断收到一个403 Forbbiden,联机时我发现我应该在我的配置中添加:“.csrf().disable()”,但它不起作用(如果我在permitAll()中放置路径为:“person/**”的方法,则所有操作都有效) 这是我的代码: 我的用户控制器: My perso
-
我正在尝试使用Spring security保护我的网站,但我一直收到
-
我想暂时禁用整个应用程序的Spring Security性,但我总是被403禁止 删除控制器中的@PreAuthorize注释不会给出任何结果。未使用此注释标记的endpoint也会丢弃我 403 禁止 我不需要基本身份验证 我不需要身份验证 我的Spring Security配置:(/,/api/**,/**,**不工作,我总是得到403禁止) 我的一个控制者:
-
我有一个以前使用 Spring Boot 1 运行测试的应用程序,并且已更新到 2.0.9.RELEASE。 Spring Security现在有问题。我知道情况是这样的,因为如果我删除 测试仍然成功。测试基本上是去一个项目控制器'Home计数器',然后从那里去一个服务,并使用一个雷斯特模板来执行各种操作。实际上,这是一个不同的应用程序,如果我从头开始编写它,我可能会做一个wiremck,但现在这
-
我已经将我的一个api配置为受保护,当我试图访问它时,它给我一个拒绝访问的错误消息,我不知道是什么原因。请注意,我正在传递有效的访问令牌。 我的场景:基本上我已经在授权服务器中创建了logout rest api,我希望允许带有有效令牌的请求访问这个api。 请求: 回应: 我发现下面的方法返回false,因此它引发了访问拒绝错误。 下面是我通过框架调试捕获的屏幕截图。还请检查评论中提到的图像。
-
当我使用security.basic.enabled=false在具有以下依赖项的Spring Boot项目上禁用安全性时: 为了修复此异常,我必须添加属性-management.security.enabled=false。我的理解是,当执行器在类路径中时,应该将security.basic.enabled=false和management.security.enabled=false设置为禁用