There is a small hole in Spring Security, which is the problem of static resource loading.
When we inherit the WebSecurityConfigurerAdapter, we will override several methods. To set our own path to filter or some rules of permissions.
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired CustomUserService customUserService; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(customUserService).passwordEncoder(new BCryptPasswordEncoder()); } @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/global/**"); } @Override protected void configure(HttpSecurity http) throws Exception { http // Start request permission configuration .authorizeRequests() // We specify a pattern in which any user can access multiple URL s. // Any user can access URL s starting with "/ resources/","/signup", or "/ about". // .antMatchers("/global/**","/static/**").permitAll() // Request matching / admin / * * only users with role admin role can access .antMatchers("/admin/**").hasRole("ADMIN") // Request matching / user / * * role users with role admin and role user can access .antMatchers("/user/**").hasAnyRole("ADMIN", "USER") // Any URL starting with '/ db /' needs to be accessible by users with both 'role admin' and 'role DBA' permissions. // As above, our hasRole method does not use the prefix "ROLE". // .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // All other requests need to be authenticated before they can be accessed .anyRequest().authenticated().and().formLogin() // Login interface; default interface after successful login (no effect); default interface after unsuccessful login; form submission address .loginPage("/login").defaultSuccessUrl("/index.html").failureUrl("/login?error=true") // Default user name key value, default password key value .usernameParameter("username").passwordParameter("password").permitAll().and().rememberMe() .tokenValiditySeconds(1209600).key("rememberme"); // .and() // .logout().logoutUrl("").logoutSuccessUrl("/index.html").permitAll(); } }
In general, I set up
// Any user can access URL s starting with "/ resources/","/signup", or "/ about". .antMatchers("/global/**","/static/**").permitAll()
Or
@Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/global/**"); }
After that, there should be no problem and we should be able to access our resources. But when you run demo, you will find that the world is not what you think it is. You are too young.
The static resources you want still cannot be loaded. Later, we found that we need to configure the addResourceHandlers method in spring MVC.
@Configuration public class WebMvcConfig extends WebMvcConfigurationSupport { @Override protected void addViewControllers(ViewControllerRegistry registry) { // TODO Auto-generated method stub // Register to visit / login and turn to page-login.html registry.addViewController("/login").setViewName("page-login.html"); super.addViewControllers(registry); } @Override protected void addResourceHandlers(ResourceHandlerRegistry registry) { // TODO Auto-generated method stub registry.addResourceHandler("/**").addResourceLocations("classpath:/static/"); super.addResourceHandlers(registry); } }
It seems that this time it should be OK. Run...
But still too young. The resource is still not loaded.
This, this is a bit messy....
After a long time, I fell asleep.
It turns out there's something wrong with HTML. Yes, there's nothing wrong with the HTML.
When loading css or js resources, we need to write more standard.
<link href="/global/css/style.css" rel="stylesheet" type="text/css" /> <script src="/global/js/custom.min.js" type="text/javascript"></script>
Instead of
<link href="/global/css/style.css"/> <script src="/global/js/custom.min.js"></script>