Spring Security封锁H2控制台,尽管在配置中允许”/h2-console/**”。

huangapple
go评论63阅读模式
英文:

Spring Security blocks H2 console despite permitting "/h2-console/**" in configuration

问题

Spring Security阻止了h2控制台的访问,尽管我在配置中已经设置了对/h2-console/**的权限。我已经在SO上阅读了相关答案,但它们对我没有起作用。项目链接在这里

调试日志:

2023-04-13T17:02:50.531+02:00 DEBUG 28567 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /h2-console
2023-04-13T17:02:50.546+02:00 DEBUG 28567 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : 将SecurityContextHolder设置为匿名SecurityContext
2023-04-13T17:02:50.565+02:00 DEBUG 28567 --- [nio-8080-exec-1] o.s.s.w.s.HttpSessionRequestCache        : 将请求保存到会话中:http://localhost:8080/h2-console?continue
2023-04-13T17:02:50.565+02:00 DEBUG 28567 --- [nio-8080-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint     : 调用预认证入口点。拒绝访问

如果您需要进一步的帮助,请告诉我。

英文:

Spring Security blocks h2 console, despite I have set permission to /h2-console/** in the configuration

@Configuration
public class Config {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

        http.csrf().disable();
        http.authorizeHttpRequests((requests) ->
                    requests
                            .requestMatchers("/", "/h2-console/**").permitAll()
                            .anyRequest().authenticated()
                );
        http.headers().frameOptions().disable();
        return http.build();
    }
}

I have already read related answers on SO but they didn't work for me.

The link to the project is here

debug logs

2023-04-13T17:02:45.447+02:00  INFO 28567 --- [           main] com.example.demo.DemoApplication         : Starting DemoApplication using Java 17.0.4.1 with PID 28567 (/Users/haohanyang/Developer/demo/build/classes/java/main started by haohanyang in /Users/haohanyang/Developer/demo)
2023-04-13T17:02:45.450+02:00  INFO 28567 --- [           main] com.example.demo.DemoApplication         : No active profile set, falling back to 1 default profile: "default"
2023-04-13T17:02:45.903+02:00  INFO 28567 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode.
2023-04-13T17:02:45.920+02:00  INFO 28567 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 9 ms. Found 0 JPA repository interfaces.
2023-04-13T17:02:46.322+02:00  INFO 28567 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8080 (http)
2023-04-13T17:02:46.329+02:00  INFO 28567 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
2023-04-13T17:02:46.329+02:00  INFO 28567 --- [           main] o.apache.catalina.core.StandardEngine    : Starting Servlet engine: [Apache Tomcat/10.1.7]
2023-04-13T17:02:46.391+02:00  INFO 28567 --- [           main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext
2023-04-13T17:02:46.392+02:00  INFO 28567 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 897 ms
2023-04-13T17:02:46.416+02:00  INFO 28567 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Starting...
2023-04-13T17:02:46.566+02:00  INFO 28567 --- [           main] com.zaxxer.hikari.pool.HikariPool        : HikariPool-1 - Added connection conn0: url=jdbc:h2:mem:testdb user=SA
2023-04-13T17:02:46.567+02:00  INFO 28567 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Start completed.
2023-04-13T17:02:46.579+02:00  INFO 28567 --- [           main] o.s.b.a.h2.H2ConsoleAutoConfiguration    : H2 console available at '/h2-console'. Database available at 'jdbc:h2:mem:testdb'
2023-04-13T17:02:46.679+02:00  INFO 28567 --- [           main] o.hibernate.jpa.internal.util.LogHelper  : HHH000204: Processing PersistenceUnitInfo [name: default]
2023-04-13T17:02:46.712+02:00  INFO 28567 --- [           main] org.hibernate.Version                    : HHH000412: Hibernate ORM core version 6.1.7.Final
2023-04-13T17:02:46.944+02:00  INFO 28567 --- [           main] SQL dialect                              : HHH000400: Using dialect: org.hibernate.dialect.H2Dialect
2023-04-13T17:02:47.152+02:00  INFO 28567 --- [           main] o.h.e.t.j.p.i.JtaPlatformInitiator       : HHH000490: Using JtaPlatform implementation: [org.hibernate.engine.transaction.jta.platform.internal.NoJtaPlatform]
2023-04-13T17:02:47.161+02:00  INFO 28567 --- [           main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default'
2023-04-13T17:02:47.184+02:00  WARN 28567 --- [           main] JpaBaseConfiguration$JpaWebConfiguration : spring.jpa.open-in-view is enabled by default. Therefore, database queries may be performed during view rendering. Explicitly configure spring.jpa.open-in-view to disable this warning
2023-04-13T17:02:47.207+02:00  WARN 28567 --- [           main] .s.s.UserDetailsServiceAutoConfiguration : 

Using generated security password: b0b3b2e8-29f6-4e45-9a25-4224980accd1

This generated password is for development use only. Your security configuration must be updated before running your application in production.

2023-04-13T17:02:47.396+02:00  INFO 28567 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@14239223, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@68df8c6, org.springframework.security.web.context.SecurityContextHolderFilter@1fc3df43, org.springframework.security.web.header.HeaderWriterFilter@552bee2f, org.springframework.security.web.authentication.logout.LogoutFilter@1dfcf85a, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@5e7cd0df, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@3de45b6c, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@7c206b14, org.springframework.security.web.access.ExceptionTranslationFilter@6cc56b32, org.springframework.security.web.access.intercept.AuthorizationFilter@7dddfc35]
2023-04-13T17:02:47.589+02:00  INFO 28567 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8080 (http) with context path ''
2023-04-13T17:02:47.597+02:00  INFO 28567 --- [           main] com.example.demo.DemoApplication         : Started DemoApplication in 2.434 seconds (process running for 2.835)
2023-04-13T17:02:50.531+02:00 DEBUG 28567 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /h2-console
2023-04-13T17:02:50.546+02:00 DEBUG 28567 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2023-04-13T17:02:50.565+02:00 DEBUG 28567 --- [nio-8080-exec-1] o.s.s.w.s.HttpSessionRequestCache        : Saved request http://localhost:8080/h2-console?continue to session
2023-04-13T17:02:50.565+02:00 DEBUG 28567 --- [nio-8080-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint     : Pre-authenticated entry point called. Rejecting access
2023-04-13T17:02:50.569+02:00  INFO 28567 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring DispatcherServlet 'dispatcherServlet'
2023-04-13T17:02:50.569+02:00  INFO 28567 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
2023-04-13T17:02:50.571+02:00  INFO 28567 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 1 ms
2023-04-13T17:02:50.572+02:00 DEBUG 28567 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /error
2023-04-13T17:02:50.578+02:00 DEBUG 28567 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2023-04-13T17:02:50.579+02:00 DEBUG 28567 --- [nio-8080-exec-1] o.s.s.w.s.HttpSessionRequestCache        : Saved request http://localhost:8080/error?continue to session
2023-04-13T17:02:50.579+02:00 DEBUG 28567 --- [nio-8080-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint     : Pre-authenticated entry point called. Rejecting access

答案1

得分: 0

我成功解决了这个问题,通过将以下代码部分进行更改:

http.authorizeHttpRequests((requests) ->
                requests
                        .requestMatchers(PathRequest.toH2Console()).permitAll()
                        .anyRequest().authenticated()
        );

参考链接:https://github.com/spring-projects/spring-security/issues/12310#issuecomment-1328990026 和 https://github.com/spring-projects/spring-security/issues/12546

英文:

I managed to solve it by changing

http.authorizeHttpRequests((requests) ->
                    requests
                            .requestMatchers("/", "/h2-console/**").permitAll()
                            .anyRequest().authenticated()
                );

to

http.authorizeHttpRequests((requests) ->
                requests
                        .requestMatchers(PathRequest.toH2Console()).permitAll()
                        .anyRequest().authenticated()
        );

Reference: https://github.com/spring-projects/spring-security/issues/12310#issuecomment-1328990026 and https://github.com/spring-projects/spring-security/issues/12546

huangapple
  • 本文由 发表于 2023年4月13日 16:45:20
  • 转载请务必保留本文链接:https://go.coder-hub.com/76003433.html
  • java
  • spring
  • spring-boot
  • spring-security
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定