[英]Spring boot 1.5 disable oauth2 security
How can I disable the oauth2 security filtering in my Spring boot app, or skip the security checks, I just want to hit the GET and POST end points in the Spring boot @RestController directly without going through the security filtering. 如何在我的Spring Boot应用程序中禁用oauth2安全过滤,或者跳过安全检查,我只想直接在Spring boot @RestController中命中GET和POST端点,而无需通过安全过滤。
I'm using below configurations 我正在使用以下配置
security:
oauth2:
client:
access-token-validity-seconds: 3600
tokenExtractor:
type: header
pom.xml dependencies pom.xml依赖项
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
</dependency>
Spring version 春季版
<spring.version>4.3.7.RELEASE</spring.version>
<spring.boot.version>1.5.2.RELEASE</spring.boot.version>
If you don't want to remove the entire Spring Security, you can add ignore configuration for all you urls in your Spring Configuration bean: 如果您不想删除整个Spring Security,则可以在Spring Configuration bean中为所有URL添加忽略配置:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(
"/**");
}
3 ways 3种方式
A. I was able to achive bypassing spring boot security filtering while keeping the @EnableResourceServer in the @SpringBootApplication Application class 答:我能够绕过Spring Boot安全过滤,同时将@EnableResourceServer保留在@SpringBootApplication Application类中
1. permitall for anonymous in the ResourceServerConfigurerAdapter override 1. 允许在ResourceServerConfigurerAdapter中重写匿名的 allmit
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.context.annotation.Configuration;
@Configuration
public class ResourceAccessConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").permitAll().anyRequest().anonymous();<< this will allow any resource endpoint access when the HTTP request Authorization header not available
//http.authorizeRequests().antMatchers("/**").permitAll();<< also can
}
}
spring boot application initializer Spring Boot应用程序初始化程序
@SpringBootApplication
@EnableResourceServer << keep this
public class Application extends SpringBootServletInitializer {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
2.remove the authorization header(remove OAuth 2.0 Access Token from the HTTP request) 2.删除授权标头(从HTTP请求中删除OAuth 2.0访问令牌)
B. security filtering could also be disabled for endpoints by removing @EnableResourceServer and set the parameter in application.yml as below. B.还可以通过删除@EnableResourceServer并在application.yml中按如下所示设置参数来为端点禁用安全筛选。 when removed @EnableResourceServer the spring security config will fall back to default which is
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
当删除@EnableResourceServer时,spring安全配置将恢复为默认值
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
1.application.yml, security.ignored property 1.application.yml,security.ignored属性
security:
ignored: /**
2.spring boot application initializer 2.spring启动应用程序初始化
@SpringBootApplication
//@EnableResourceServer << remove this
public class Application extends SpringBootServletInitializer {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
3.remove the authorization header same as above 3.删除与上面相同的授权标头
C. security filtering could also be disabled for endpoints by removing @EnableResourceServer and adding a config class extends WebSecurityConfigurerAdapter C.还可以通过删除@EnableResourceServer并添加配置类扩展WebSecurityConfigurerAdapter来为端点禁用安全筛选
1. 1。
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").permitAll().anyRequest().authenticated().and().csrf().disable();
}
}
2.//@EnableResourceServer commented same as above 2.//@EnableResourceServer与上面的注释相同
3.remove the authorization header same as above 3.删除与上面相同的授权标头
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.