为什么我在使用 Spring Security 6、permitAll 和禁用 CSRF 后得到 401?
[英]Why am I getting a 401 when using Spring Security 6, permitAll and after disabiling CSRF?
问题描述
There are some similar questions so I have done my best to signify differences but I have reviewed them and they don't seem to match my question.
有一些类似的问题,所以我已尽力表示差异,但我已经审查过它们,但它们似乎与我的问题不符。
I have a few simple use case...我有一些简单的用例......
Given I am a user
And I am not authenticated
When I use a GET request
Then I get a 200 response
Given I am a user
And I am not authenticated
When I User a POST request
Then I get a 401 response
I try to get this to work using spring security like this...我尝试像这样使用 spring 安全性来让它工作......
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((authorize) -> authorize
.requestMatchers(HttpMethod.GET).permitAll()
.anyRequest().authenticated()
).csrf().disable();
return http.build();
}
But when I run and try to hit http://localhost:8080 with a GET request I still get a 401. If I remove all of the dependencies from the POM then it goes back to giving me a 200.但是当我运行并尝试使用 GET 请求http://localhost:8080时,我仍然得到 401。如果我从 POM 中删除所有依赖项,那么它会返回给我一个 200。
What am I missing what do I need to allow requests through without a token?我错过了什么我需要什么才能在没有令牌的情况下允许请求通过?
I also tried this...我也试过这个...
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((authorize) -> authorize
.anyRequest().permitAll()
).oauth2ResourceServer( OAuth2ResourceServerConfigurer::jwt );
return http.build();
}
But this also provides a 401但这也提供了一个 401
2 个解决方案
解决方案1
1 2023-02-01 21:03:21
The first security configuration you provided intends to match on "every request that is a GET".您提供的第一个安全配置旨在匹配“每个 GET 请求”。 The method signature is requestMatchers(HttpMethod method, String... patterns) .方法签名是requestMatchers(HttpMethod method, String... patterns) 。 Your usage omits the patterns, and so matches "no requests that are a GET".您的用法省略了模式,因此匹配“没有请求是 GET”。
Note: I'm actually surprised that the method allowed you to pass no argument(s) for the patterns parameter.注意:我真的很惊讶该方法允许您不为patterns参数传递任何参数。 Perhaps that's a worthwhile enhancement suggestion.也许这是一个有价值的增强建议。
In your example, you can do this:在您的示例中,您可以这样做:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers(HttpMethod.GET, "/**").permitAll()
.anyRequest().authenticated()
)
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
return http.build();
}
}
Note: You do need at least one authentication mechanism specified, which your config is missing.注意:您确实需要至少指定一种身份验证机制,而您的配置缺少这种机制。
解决方案2
0 2023-02-01 18:43:26
This seems to work...这似乎工作...
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/").permitAll()
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(Customizer.withDefaults())
);
return http.build();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.