问题:
Spring Boot/Web允许错误地列出用户凭证
郎飞航
我有一个示例Spring启动应用程序,它有Web/Rest/H2/HiberNate/DevTool,并试图让所有工作,所以我可以玩OAuth 2,但在进入复杂的东西之前,我已经在内存DB中的H2中创建了用户和当局表,并构建了实体java文件(Users.java和Authorities.java)及其CrudRepositoy文件。以确保我可以以编程方式添加和播放用户安全上下文。然而,我注意到,当我转到我的“/”时。Spring允许我通过点击这个链接来列出“用户”表中的所有信息,这是我不想要的。我当前应用程序设置中的什么设置导致了这种情况?
我知道如果我启用Spring Security性,我可以通过URL或方法管理这些访问,但现在,是什么让这一切发生的呢?非常感谢。
这是我的申请表。属性
spring.profiles.active=@activatedProperties@
server.port=8090
#server.error.path=/error
server.error.whitelabel.enabled=true
# stop devtools stop=true
spring.devtools.add-properties=false
#---------- LOGGING stuff
#-- Empty this property to disable console logging
#logging.pattern.console=
#-- log file
#logging.file.name=/var/log/SprionBootEvents.log
# in production we comment DEBUG out
#logging.level.= DEBUG
logging.level.org.springframework=INFO
logging.level.org.springframework.security=DEBUG
logging.level.com.com.accuratepath.SpringSecuritySample.=DEBUG
#logging.level.org.hibernate.SQL=DEBUG
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping=TRACE
# use file based instead of in memory
#spring.datasource.url=jdbc:h2:file:/home/admin1/h2db/events
spring.datasource.url=jdbc:h2:mem:securitysample
spring.datasource.driverClassName=org.h2.Driver
spring.datasource.username=sa
spring.datasource.password=
spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
spring.jpa.hibernate.ddl-auto=create-drop
#-- H2 database has an embedded GUI console for browsing the contents of a
#-- database and running SQL queries. By default, the H2 console is not enabled in Spring.
#-- To enable it, we need to add the following property to application.properties:
spring.h2.console.enabled=true
spring.h2.console.path=/h2-console
spring.h2.console.settings.trace=false
spring.h2.console.settings.web-allow-others=false
#-- By default, the data.sql script executes before Hibernate initialization.
#-- This aligns the script-based initialization with other database migration
#-- tools such as Flyway and Liquibase. As we're recreating the schema generated
#-- by Hibernate each time, we need to set an additional property:
spring.jpa.defer-datasource-initialization=true
#-- only validate the database at startup do not delete or create
#spring.jpa.hibernate.ddl-auto=validate
#spring.jpa.show-sql=true
#spring.jpa.properties.hibernate.format_sql=true
spring.mvc.view.prefix=/WEB-INF/jsp/
spring.mvc.view.suffix=.jsp
# Enable sitewide cache
# one hour
#spring.resources.cache.cachecontrol.max-age=3600
# 30 days
spring.resources.cache.cachecontrol.max-age=2592000
下面是我使用的SQL
CREATE TABLE IF NOT EXISTS users (
id bigint generated by default as identity(start with 0) primary key,
firstname varchar(64) not null,
lastname varchar(64) not null,
username varchar(255) not null,
password varchar()255) not null,
enabled boolean not null,
created datetime NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'time this record was created this will be used for message aging',
update timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
who VARCHAR(100) DEFAULT 'script',
comments VARCHAR(2048)
)
create table authorities (
id bigint generated by default as identity(start with 0) primary key,
username varchar(255) not null,
authority varchar_ignorecase(255) not null,
constraint fk_authorities_users foreign key(username) references users(username),
created datetime NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'time this record was created this will be used for message aging',
updated timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
who VARCHAR(100) DEFAULT 'script',
comments VARCHAR(2048)
);
create unique index ix_auth_username on authorities (username,authority);
这是我的pom。xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.6</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>com.accuratepath</groupId>
<artifactId>SpringSecuritySample</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>SpringSecuritySample</name>
<description>This project will demo all spring security possibilities</description>
<properties>
<java.version>11</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-rest</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<scope>runtime</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/org.hibernate/hibernate-core -->
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-core</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-xml -->
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
共有1个答案
弓华茂
正如M.Deinum所说,由于我的pom中有“spring boot starter数据rest”,所以上面提到了。xml,这是默认行为,所以我在SecurityConfig中通过下面的语句停止了它。java——这是一个巨大的安全问题。我会向Spring的人们汇报。
http.authorizeRequests().antMatchers("/users", "/users/", "/groups", "/groups/", "/profile", "/profile/").denyAll();
类似资料:
-
问题内容: 在MySQL中,我有一个用户芒果。当我创建它时,用户可以完美地工作。但是,重新启动计算机后,尝试登录芒果会产生以下输出: 这让我想起了密码哈希,因此在调查mysql.user之后,我发现mangos没有密码!我更新了密码: 现在,我得到: 与mangos的mysql.user密码栏中显示的数字相同,并且与原始数字不同。我仍然无法登录。 如何使MySQL正确识别密码? 这就是这里的问题吗
-
我正在尝试对客户端凭据流进行身份验证,但一直返回错误400。我查看了可用的API,但看不出我做错了什么。如果有人能给我一个正确的方向,那太棒了。谢谢
-
我正在尝试使用angularJs和$http发布一个表单。post方法。但每当我执行此函数时,它都会给我以下错误:加载资源失败:服务器响应状态为405(不允许使用方法),我不知道该怎么办。(Im使用visual studio 2015)
-
错误: EPERM:操作不允许,chmod'/usr/lib/node_modules/ang-ide/bin/ng'在Object.chmod同步(fs.js:1027: 3)在对象。
-
当客户端请求访问它所控制的,或者事先与授权服务器协商(所采用的方法超出了本规范的范围)的其他资源所有者的受保护资源,客户端可以只使用它的客户端凭据(或者其他受支持的身份验证方法)请求访问令牌。 客户端凭据许可类型必须只能由机密客户端使用。 +---------+ +---------------+ | |
-
问题内容: 我正在开发flask注册表格,但收到错误消息: 码: registration.html: 当我访问时,我收到错误消息。我究竟做错了什么? 问题答案: 这是因为在定义路由时仅允许POST请求。 当你在浏览器中访问时,它将首先执行GET请求。只有提交表单后,浏览器才会执行POST。因此,对于像你这样的自我提交表单,你需要同时处理两者。 使用 应该管用。