0

我有一个示例 Spring Boot 应用程序,它具有 Web/Rest/H2/Hibernate/DevTool 并试图让所有工作正常,以便我可以使用 OAuth 2,但在进入复杂的东西之前,我已经创建了“用户”和“权限” ' 在内存数据库中的 H2 中的表,并构建实体 java 文件(Users.java 和 Authorities.java)及其 CrudRepositoy 东西。以确保我可以以编程方式添加和使用用户安全上下文。但是我注意到,当我转到我的“/”时。Spring 允许我通过单击此链接列出“用户”表中的所有信息,这是我不想要的。我当前的应用程序设置中的什么设置导致了这种情况?

我知道如果我启用 Spring Security,我可以在 URL 或方法上管理这些访问,但是现在,是什么导致了这种情况发生?非常感谢。

在此处输入图像描述

这是我的 application.properties

spring.profiles.active=@activatedProperties@
server.port=8090
#server.error.path=/error

server.error.whitelabel.enabled=true

# stop devtools stop=true
spring.devtools.add-properties=false

#---------- LOGGING stuff
#-- Empty this property to disable console logging
#logging.pattern.console=
#-- log file
#logging.file.name=/var/log/SprionBootEvents.log

# in production we comment DEBUG  out
#logging.level.= DEBUG
logging.level.org.springframework=INFO
logging.level.org.springframework.security=DEBUG
logging.level.com.com.accuratepath.SpringSecuritySample.=DEBUG
#logging.level.org.hibernate.SQL=DEBUG

org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping=TRACE 

# use file based instead of in memory
#spring.datasource.url=jdbc:h2:file:/home/admin1/h2db/events
spring.datasource.url=jdbc:h2:mem:securitysample
spring.datasource.driverClassName=org.h2.Driver
spring.datasource.username=sa
spring.datasource.password=
spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
spring.jpa.hibernate.ddl-auto=create-drop

#-- H2 database has an embedded GUI console for browsing the contents of a 
#-- database and running SQL queries. By default, the H2 console is not enabled in Spring.
#-- To enable it, we need to add the following property to application.properties:
spring.h2.console.enabled=true
spring.h2.console.path=/h2-console
spring.h2.console.settings.trace=false
spring.h2.console.settings.web-allow-others=false

#-- By default, the data.sql script executes before Hibernate initialization. 
#-- This aligns the script-based initialization with other database migration 
#-- tools such as Flyway and Liquibase. As we're recreating the schema generated 
#-- by Hibernate each time, we need to set an additional property:
spring.jpa.defer-datasource-initialization=true

#-- only validate the database at startup do not delete or create
#spring.jpa.hibernate.ddl-auto=validate
#spring.jpa.show-sql=true
#spring.jpa.properties.hibernate.format_sql=true

spring.mvc.view.prefix=/WEB-INF/jsp/
spring.mvc.view.suffix=.jsp

# Enable sitewide cache
# one hour
#spring.resources.cache.cachecontrol.max-age=3600
# 30 days
spring.resources.cache.cachecontrol.max-age=2592000

这是我使用的 SQL

CREATE TABLE IF NOT EXISTS users (
 id bigint generated by default as identity(start with 0) primary key,
 firstname varchar(64) not null,
 lastname varchar(64) not null,
 username varchar(255) not null,
 password varchar()255) not null,
 enabled boolean not null,

 created datetime NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'time this record was created this will be used for message aging',
 update timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
 who VARCHAR(100) DEFAULT 'script',
 comments VARCHAR(2048)
) 

create table authorities (
  id bigint generated by default as identity(start with 0) primary key,
  username varchar(255) not null,
  authority varchar_ignorecase(255) not null,
  constraint fk_authorities_users foreign key(username) references users(username),
   
  created datetime NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'time this record was created this will be used for message aging',
  updated timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  who VARCHAR(100) DEFAULT 'script',
 comments VARCHAR(2048)
  );
  
create unique index ix_auth_username on authorities (username,authority);

这是我的 pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.5.6</version>
        <relativePath /> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.accuratepath</groupId>
    <artifactId>SpringSecuritySample</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>SpringSecuritySample</name>
    <description>This project will demo all spring security possibilities</description>
    <properties>
        <java.version>11</java.version>
    </properties>
    <dependencies>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-rest</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.session</groupId>
            <artifactId>spring-session-core</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-jdbc</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>com.h2database</groupId>
            <artifactId>h2</artifactId>
            <scope>runtime</scope>
        </dependency>
        
        <!-- https://mvnrepository.com/artifact/org.hibernate/hibernate-core -->
        <dependency>
            <groupId>org.hibernate</groupId>
            <artifactId>hibernate-core</artifactId>
        </dependency>
        
        <!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core -->
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-core</artifactId>
        </dependency>
        
        <!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-xml -->
        <dependency>
            <groupId>com.fasterxml.jackson.dataformat</groupId>
            <artifactId>jackson-dataformat-xml</artifactId>
        </dependency>

    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>
4

1 回答 1

0

正如 M. Deinum 所说,由于我的 pom.xml 中有“spring-boot-starter-data-rest”,这是默认行为,所以我在 SecurityConfig.java 中通过以下语句停止了它——这是一个巨大的安全问题。我会把它报告给春天的人。

http.authorizeRequests().antMatchers("/users", "/users/", "/groups", "/groups/", "/profile", "/profile/").denyAll();
于 2022-02-21T17:23:47.430 回答