为什么Spring Security permitAll()无法与OAuth2.0一起使用?
[英]Why Spring Security permitAll() is not working with OAuth2.0?
问题描述
I have a REST API secured with OAuth2.0 I am able to get the access-token using http://localhost:8085/auth/token?grant_type=password&username=22@gmail.com&password=mypass (along with username pass basic auth). 
我有一个受OAuth2.0保护的REST API,我可以使用http:// localhost:8085 / auth / token?grant_type=password&username=22@gmail.com&password=mypass来获取访问令牌(以及用户名通过基本身份验证)。
But when I am trying to access http://localhost:8085/api/v1/signup , API returns a 401 unauthorized error. 但是,当我尝试访问http:// localhost:8085 / api / v1 / signup时 ,API返回401 unauthorized错误。
Though I have used antMatchers("/signup").permitAll() , why API is expecting a access-token to access this resource? 尽管我使用过antMatchers("/signup").permitAll() ,但为什么API期望使用access-token来访问此资源? Passing access-token along with this request would signup a user. 将access-token与此请求一起传递将注册用户。
This is my resource server configuration 这是我的资源服务器配置
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
//require beans and methods here
@Autowired
public void configureGlobal(final AuthenticationManagerBuilder auth) {
auth.authenticationProvider(authProvider());
}
@Override
public void configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/signup").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.csrf().disable();
}
}
Update : As suggested by this thread, I ignored /signup at ``, but that also didn't worked. 更新 :如该线程所建议,我忽略了`` /signup '',但这也没有用。
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@ComponentScan(basePackages = { "com.sample.rest.security" })
@Order(2)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//other Beans & methods
@Override
protected void configure(HttpSecurity http) throws Exception {
List<RequestMatcher> requestMatchers = new ArrayList<RequestMatcher>();
requestMatchers.add(new AntPathRequestMatcher("/signup/**"));
http.
requestMatcher(new OrRequestMatcher(requestMatchers)).
authorizeRequests().antMatchers("/signup/**")
.permitAll();
}
}
2 个解决方案
解决方案1
5 已采纳 2018-11-24 18:17:49
I got the issue. 我知道了 It was the context path which was causing the issue. 导致问题的原因是上下文路径。 I am having a dispatcher servlet defined with a mapping URL /api/v1/* and as one can see my signup request, it contains a context path ie http://localhost:8085/api/v1/signup 我有一个使用映射URL /api/v1/*定义的调度程序servlet,可以看到我的signup请求,它包含上下文路径,即http://localhost:8085/api/v1/signup
For OAuth2 configuration in Spring, we need to take extra care of context path. 对于Spring中的OAuth2配置,我们需要特别注意上下文路径。 First, it should be defined in the AuthorizationServer 首先,应在AuthorizationServer中定义
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(final AuthorizationServerEndpointsConfigurer endpoints) {
endpoints
.prefix("/api/v1") //here
.tokenStore(tokenStore())
.accessTokenConverter(accessTokenConverter())
.authenticationManager(authenticationManager)
.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
}
Then, the context must be added to the permitAll() path like this 然后,必须像这样将上下文添加到permitAll()路径
@Override
public void configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/v1/signup").permitAll() //context path here
.anyRequest().authenticated();
}
Up till now, the signup request is still expected to pass a access token with it. 到目前为止,仍希望注册请求将访问令牌与它一起传递。 For removing the OAuth security from signup, we need to remove security at the WebSecurity , which can be done using WebSecurityConfigurerAdapter 要从注册中删除OAuth安全性,我们需要在WebSecurity处删除安全性,这可以使用WebSecurityConfigurerAdapter来完成
@EnableWebSecurity
@EnableGlobalMethodSecurity
@ComponentScan(basePackages = { "com.sample.rest.security" })
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers("/signup");
}
//////////// OR use below method ///////////
/* @Override
protected void configure(HttpSecurity http) throws Exception {
http.
authorizeRequests().antMatchers("/signup/**").permitAll();
}
*/
}
Note, there is no use to add context path to the WebSecurityConfigurerAdapter configuration. 注意,没有使用来向WebSecurityConfigurerAdapter配置添加上下文路径。
解决方案2
0 2018-11-23 21:41:53
I think the order is the issue and matchers **. 我认为顺序是问题,匹配者是问题**。
@Override
public void configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/signup**")
.permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .csrf().disable();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.