Spring Boot/h2-console在Spring Security 1.5.2中引发403问题

我启用了调试日志，看到这一点：

o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /h2-console/; Attributes: [hasAnyRole('ROLE_USER','ROLE_ACTUATOR')] 
2017-05-05 13:16:09.304 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframew[email protected]33d2af72: Principal: or[email protected]7371d5f4: Dn: cn=XYZ,ou=XYZ,ou=Active,ou=ABC_USERS,dc=internal,dc=organization,dc=com; Username: uname; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 86EF50EF548ED4DBCE4D661AEC93F88C; Granted Authorities: ROLE_ADMIN 
2017-05-05 13:16:09.305 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased  : Voter: org.sp[email protected]51d3d69, returned: -1 
2017-05-05 13:16:09.305 DEBUG 90365 --- [nio-8080-exec-2] o.s.s.w.a.ExceptionTranslationFilter  : Access is denied (user is not anonymous); delegating to AccessDeniedHandler 

我意识到，我的用户没有ROLE_USER。我假设ROLE_ADMIN>ROLE_USER，但我仍然需要更好地理解这一点。

我我的设置更新为：

security: 
    basic: 
    enabled: true 
    authorize-mode: NONE 

我现在能够访问/h2-console/**。

@Configuration 
@ConditionalOnClass(WebSecurityConfigurerAdapter.class) 
@ConditionalOnBean(ObjectPostProcessor.class) 
@ConditionalOnProperty(prefix = "security.basic", name = "enabled", matchIfMissing = true) 
static class H2ConsoleSecurityConfiguration 

你可以从春天启动源中读取，如果启用了基本的，弹簧启动将加载弹簧安全配置与H2ConsoleSecurityConfigurer为了SecurityProperties.BASIC_AUTH_ORDER - 10，认证是对安全配置的基础。这是默认的安全配置：

public void configure(HttpSecurity http) throws Exception { 
      String path = this.console.getPath(); 
      String antPattern = path.endsWith("/")?path + "**":path + "/**"; 
      HttpSecurity h2Console = http.antMatcher(antPattern); 
      h2Console.csrf().disable(); 
      h2Console.httpBasic(); 
      h2Console.headers().frameOptions().sameOrigin(); 
      // the default role is `USER` and `management.security.roles` 
      String[] roles = (String[])this.security.getUser().getRole().toArray(new String[0]); 
      // this value is base `security.basic.authorize-mode`, `role`, 'authenticated' and `none` 
      SecurityAuthorizeMode mode = this.security.getBasic().getAuthorizeMode(); 
      if(mode != null && mode != SecurityAuthorizeMode.ROLE) { 
       if(mode == SecurityAuthorizeMode.AUTHENTICATED) { 
        ((AuthorizedUrl)http.authorizeRequests().anyRequest()).authenticated(); 
       } 
      } else { 
       ((AuthorizedUrl)http.authorizeRequests().anyRequest()).hasAnyRole(roles); 
      } 

     } 

如果你觉得默认的是不适合你，你可以创建一个新的配置，以覆盖默认的一个。

@Configuration 
// before the default configuration 
@Order(SecurityProperties.BASIC_AUTH_ORDER - 11) 
class CustomH2ConsoleSecurityConfigurer extends WebSecurityConfigurerAdapter { 

     @Autowired 
     private H2ConsoleProperties console; 

     @Override 
     public void configure(HttpSecurity http) throws Exception { 
      String path = this.console.getPath(); 
      String antPattern = (path.endsWith("/") ? path + "**" : path + "/**"); 
      HttpSecurity h2Console = http.antMatcher(antPattern); 
      h2Console.csrf().disable(); 
      h2Console.httpBasic(); 
      h2Console.headers().frameOptions().sameOrigin(); 
      // config as you like 
      http.authorizeRequests().anyRequest().permitAll(); 
     } 

    }