Spring Boot/h2-console在Spring Security 1.5.2中引發403問題

Question

我們最近從Spring Boot 1.4.1升級到1.5.2。 1.5.2的一個特點是，如果Spring Security是包的一部分，那麼它受到基本身份驗證的保護。即使經過基本身份驗證，我仍無法訪問/h2-console。它拋出403禁止。

application.yml：

spring: 
    datasource: 
    driver-class-name: org.h2.Driver 
    url: jdbc:h2:file:../app-db/app_db;AUTO_SERVER=TRUE 
    username: sa 
    password: sa 
    initialize: false 
    jpa: 
    hibernate: 
     ddl-auto: validate 
    show-sql: true 
    database-platform: org.hibernate.dialect.H2Dialect 
    h2: 
    console: 
     enabled: true 
     settings: 
     web-allow-others: true 
    allowed: 
    resources: /h2-console/** 

我甚至明確允許/h2-console/**

httpSecurity.authorizeRequests() 
       .antMatchers(allowedResources)     
       .permitAll() 

試圖訪問localhost:8080/h2-console時，我不斷收到403。 我試過很多設置，以及將：

management.security.enabled=true 
security.basic.enabled=true 

但我無法訪問H2控制檯。

Answer 1

我啓用了調試日誌，看到這一點：

o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /h2-console/; Attributes: [hasAnyRole('ROLE_USER','ROLE_ACTUATOR')] 
2017-05-05 13:16:09.304 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@33d2af72: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@7371d5f4: Dn: cn=XYZ,ou=XYZ,ou=Active,ou=ABC_USERS,dc=internal,dc=organization,dc=com; Username: uname; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 86EF50EF548ED4DBCE4D661AEC93F88C; Granted Authorities: ROLE_ADMIN 
2017-05-05 13:16:09.305 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased  : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@51d3d69, returned: -1 
2017-05-05 13:16:09.305 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.w.a.ExceptionTranslationFilter  : Access is denied (user is not anonymous); delegating to AccessDeniedHandler 

我意識到，我的用戶沒有ROLE_USER。我假設ROLE_ADMIN>ROLE_USER，但我仍然需要更好地理解這一點。

我我的設置更新爲：

security: 
    basic: 
    enabled: true 
    authorize-mode: NONE 

我現在能夠訪問/h2-console/**。

Answer 2

@Configuration 
@ConditionalOnClass(WebSecurityConfigurerAdapter.class) 
@ConditionalOnBean(ObjectPostProcessor.class) 
@ConditionalOnProperty(prefix = "security.basic", name = "enabled", matchIfMissing = true) 
static class H2ConsoleSecurityConfiguration 

你可以從春天啓動源中讀取，如果啓用了基本的，彈簧啓動將加載彈簧安全配置與H2ConsoleSecurityConfigurer爲了SecurityProperties.BASIC_AUTH_ORDER - 10，認證是對安全配置的基礎。這是默認的安全配置：

public void configure(HttpSecurity http) throws Exception { 
      String path = this.console.getPath(); 
      String antPattern = path.endsWith("/")?path + "**":path + "/**"; 
      HttpSecurity h2Console = http.antMatcher(antPattern); 
      h2Console.csrf().disable(); 
      h2Console.httpBasic(); 
      h2Console.headers().frameOptions().sameOrigin(); 
      // the default role is `USER` and `management.security.roles` 
      String[] roles = (String[])this.security.getUser().getRole().toArray(new String[0]); 
      // this value is base `security.basic.authorize-mode`, `role`, 'authenticated' and `none` 
      SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode(); 
      if(mode != null && mode != SecurityAuthorizeMode.ROLE) { 
       if(mode == SecurityAuthorizeMode.AUTHENTICATED) { 
        ((AuthorizedUrl)http.authorizeRequests().anyRequest()).authenticated(); 
       } 
      } else { 
       ((AuthorizedUrl)http.authorizeRequests().anyRequest()).hasAnyRole(roles); 
      } 

     } 

如果你覺得默認的是不適合你，你可以創建一個新的配置，以覆蓋默認的一個。

@Configuration 
// before the default configuration 
@Order(SecurityProperties.BASIC_AUTH_ORDER - 11) 
class CustomH2ConsoleSecurityConfigurer extends WebSecurityConfigurerAdapter { 

     @Autowired 
     private H2ConsoleProperties console; 

     @Override 
     public void configure(HttpSecurity http) throws Exception { 
      String path = this.console.getPath(); 
      String antPattern = (path.endsWith("/") ? path + "**" : path + "/**"); 
      HttpSecurity h2Console = http.antMatcher(antPattern); 
      h2Console.csrf().disable(); 
      h2Console.httpBasic(); 
      h2Console.headers().frameOptions().sameOrigin(); 
      // config as you like 
      http.authorizeRequests().anyRequest().permitAll(); 
     } 

    }