3

我正在尝试将 Vaadin 与 spring boot 一起使用,并且我也在使用 spring-security。这是我在WebSecurityConfigurerAdapter课堂上所做的配置。

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
                http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/VAADIN/**", "/PUSH/**", "/UIDL/**", "/login", "/login/**", "/error/**", "/accessDenied/**", "/vaadinServlet/**","/myui/**","/test/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin().permitAll().defaultSuccessUrl("/myui", true).and()
                .sessionManagement().sessionAuthenticationStrategy(sessionControlAuthenticationStrategy());
    }

这是我的登录视图。

@Route("login")
@Theme(value = Lumo.class, variant = Lumo.DARK)

public class LoginForm extends Div {

    public LoginForm(){
        init();
    }

    public void init(){
        FormLayout nameLayout = new FormLayout();

        TextField username = new TextField();
        username.setLabel("UserName");
        username.setPlaceholder("username");

        PasswordField passwordField = new PasswordField();
        passwordField.setLabel("password");
        passwordField.setPlaceholder("*****");

        Button loginButton = new Button("login");

        loginButton.addClickListener(event -> {
        });

        nameLayout.add(username,passwordField);

        add(nameLayout);
    }
}

我遇到的问题是,当用户被重定向到时,我总是看到一个空页面,/login但在检查 Html 页面后,我可以看到有 vaadin 元素,但它们没有出现在浏览器中。

4

2 回答 2

2

这是我的工作配置:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable() // CSRF handled by Vaadin
            .exceptionHandling()
                .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
                .accessDeniedPage("/accessDenied")
            .and()
            .authorizeRequests()
                // allow Vaadin URLs without authentication
                .regexMatchers("/frontend/.*", "/VAADIN/.*", "/login.*", "/accessDenied.*").permitAll()
                .regexMatchers(HttpMethod.POST, "/\\?v-r=.*").permitAll()
                // deny other URLs until authenticated
                .antMatchers("/**").fullyAuthenticated();
}

所有请求都被重定向到登录视图,直到通过身份验证。到目前为止我还没有尝试@Push过,因此可能需要始终允许使用其他 URL。

使用 Firefox 开发者工具,您可以在控制台中检查 XHR 调用。如果任何 XHR 调用因 403 或其他原因而失败,您可能需要调整您的安全配置。

于 2018-07-27T08:58:09.630 回答
1
package com.example.test.spring.security;

import com.vaadin.flow.server.ServletHelper;
import com.vaadin.flow.shared.ApplicationConstants;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;

import javax.servlet.http.HttpServletRequest;
import java.util.stream.Stream;


@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers("/VAADIN/**", "/HEARTBEAT/**", "/UIDL/**", "/resources/**"
                        , "/login", "/login**", "/login/**", "/manifest.json", "/icons/**", "/images/**",
                        // (development mode) static resources
                        "/frontend/**",
                        // (development mode) webjars
                        "/webjars/**",
                        // (development mode) H2 debugging console
                        "/h2-console/**",
                        // (production mode) static resources
                        "/frontend-es5/**", "/frontend-es6/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/login")
                .permitAll()
                .successForwardUrl("/something")
                .and()
                .logout()
                .permitAll();
    }

    @Bean
    @Override
    public UserDetailsService userDetailsService() {
        UserDetails user =
                User.withDefaultPasswordEncoder()
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();

        return new InMemoryUserDetailsManager(user);
    }


    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(
                // Vaadin Flow static resources
                "/VAADIN/**",

                // the standard favicon URI
                "/favicon.ico",

                // web application manifest
                "/manifest.json",

                // icons and images
                "/icons/**",
                "/images/**",

                // (development mode) static resources
                "/frontend/**",

                // (development mode) webjars
                "/webjars/**",

                // (development mode) H2 debugging console
                "/h2-console/**",

                // (production mode) static resources
                "/frontend-es5/**", "/frontend-es6/**");
    }


    static boolean isFrameworkInternalRequest(HttpServletRequest request) {
        final String parameterValue = request.getParameter(ApplicationConstants.REQUEST_TYPE_PARAMETER);
        return parameterValue != null
                && Stream.of(ServletHelper.RequestType.values()).anyMatch(r -> r.getIdentifier().equals(parameterValue));
    }

}

将网络配置更改为此后,我能够解决问题

于 2018-08-01T15:54:46.123 回答