公共端点上的 Spring Boot REST API 401?
[英]Spring Boot REST API 401 on public endpoint?
问题描述
I am getting 401 Unauthorized on not secured endpoint responsible for registering:
我在负责注册的不安全端点上收到401 Unauthorized :
this is my Config class I use:这是我使用的配置类:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
//@FieldDefaults(level = PRIVATE, makeFinal = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher(
new AntPathRequestMatcher("/public/**")
);
private static final RequestMatcher PROTECTED_URLS = new NegatedRequestMatcher(PUBLIC_URLS);
@Autowired
TokenAuthenticationProvider provider;
SecurityConfig() {
super();
System.out.println("XXXXXXXXXXXX");
System.out.println("XXXXXXXXXXXX");
//this.provider = requireNonNull(provider);
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) {
auth.authenticationProvider(provider);
}
@Override
public void configure(final WebSecurity web) {
web.ignoring().requestMatchers(PUBLIC_URLS);
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(STATELESS)
.and()
.exceptionHandling()
// this entry point handles when you request a protected page and you are not yet
// authenticated
.defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS)
.and()
.authenticationProvider(provider)
.addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter.class)
.authorizeRequests()
.requestMatchers(PROTECTED_URLS)
.authenticated()
.and()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.logout().disable();
}
@Bean
TokenAuthenticationProvider tokenAuthenticationProvider() {
return new TokenAuthenticationProvider();
}
@Bean
TokenAuthenticationFilter restAuthenticationFilter() throws Exception {
final TokenAuthenticationFilter filter = new TokenAuthenticationFilter(PROTECTED_URLS);
filter.setAuthenticationManager(authenticationManager());
filter.setAuthenticationSuccessHandler(successHandler());
return filter;
}
@Bean
SimpleUrlAuthenticationSuccessHandler successHandler() {
final SimpleUrlAuthenticationSuccessHandler successHandler = new SimpleUrlAuthenticationSuccessHandler();
successHandler.setRedirectStrategy(new NoRedirectStrategy());
return successHandler;
}
/**
* Disable Spring boot automatic filter registration.
*/
@Bean
FilterRegistrationBean disableAutoRegistration(final TokenAuthenticationFilter filter) {
final FilterRegistrationBean registration = new FilterRegistrationBean(filter);
registration.setEnabled(false);
return registration;
}
@Bean
AuthenticationEntryPoint forbiddenEntryPoint() {
return new HttpStatusEntryPoint(FORBIDDEN);
}
}
So for now I have public endpoints responsible for registering and login, but I cannot access them via Postman and browser.所以现在我有负责注册和登录的公共端点,但我无法通过 Postman 和浏览器访问它们。 Is something wrong with implementing this config class?实现这个配置类有什么问题吗? What can cause this problem?什么会导致这个问题?
1 个解决方案
解决方案1
0 2020-01-19 06:06:02
Use configure(WebSecurity web) for publicly accessible endpoints, it will not apply the security filter chain for specified endpoints.对可公开访问的端点使用configure(WebSecurity web) ,它不会为指定的端点应用安全过滤器链。
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/public/**")
}
OR Try to change the order for configure(final HttpSecurity http) .或尝试更改configure(final HttpSecurity http)的顺序。 Add .requestMatchers(PROTECTED_URLS) before the filters and entrypoint.在过滤器和入口点之前添加.requestMatchers(PROTECTED_URLS) 。
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.requestMatchers(PROTECTED_URLS)
.authenticated()
.and()
.exceptionHandling()
.defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS)
.and()
.sessionManagement()
.sessionCreationPolicy(STATELESS)
.and()
.authenticationProvider(provider)
.addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter.class)
.formLogin().disable()
.httpBasic().disable()
.logout().disable();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
Spring 启动 REST API POST 401 未经授权 - Spring Boot REST API POST 401 Unauthorized
通过Spring Boot调用返回返回401的AirTable Rest API - Calling AirTable Rest API via Spring Boot returning 401
Android HttpURLConnection总是未经授权的401响应(Spring Boot REST API) - Android HttpURLConnection always unauthorized 401 response (Spring Boot REST API)
Spring Boot 应用程序 - 任何其余 API 端点的默认超时时间或控制所有端点超时的简单配置是什么 - Spring Boot Application - what is default timeout for any rest API endpoint or a easy config to control all endpoint timeout
带有 Spring Boot 的 API Rest - API Rest with Spring Boot
401- 使用 REST API Dynamics CRM 和来自 Spring Boot 应用程序的 Azure AD 的未经授权的身份验证 - 401- Unauthorized authentication using REST API Dynamics CRM with Azure AD from a Spring Boot app
keycloak(春季启动)未验证REST端点 - keycloak (spring boot) Not authenticating REST endpoint
Spring Boot Rest端点的路径/错误 - Spring Boot rest endpoint with path /error
Spring Boot:使用 Rest 模板管理多个端点? - Spring Boot: Manage Multiple Endpoint with Rest Template?
"春季启动休息控制器端点不起作用" - Spring boot rest controller endpoint not working
相关标签