I would like to make some urls of my api public. But once I configure one single url, all my api become exposed without authorization.
Below my configure method of ResourceServerConfiguration class :
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/books","/api/plainOffers","/api/offers","/api/public/*").permitAll();
}
ResourceServer configuration :
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/api/books").permitAll();
http.authorizeRequests().antMatchers("/api/plainOffers").permitAll();
http.authorizeRequests().antMatchers("/api/offers").permitAll();
http.authorizeRequests().antMatchers("/api/public/*").permitAll();
//http.authorizeRequests().anyRequest().authenticated().and().httpBasic();
}
}
Authorization server :
@CrossOrigin
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig
extends AuthorizationServerConfigurerAdapter{
@Autowired
@Qualifier("userDetailsService")
private UserDetailsService userDetailsService;
@Autowired
private AuthenticationManager authenticationManager;
@Value("${api.oauth.tokenTimeout:3600}")
private int expiration;
@Override
public void configure(AuthorizationServerEndpointsConfigurer configurer) throws Exception {
configurer.authenticationManager(authenticationManager);
configurer.userDetailsService(userDetailsService);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("api")
.secret("secret")
.accessTokenValiditySeconds(expiration)
.scopes("read", "write")
.authorizedGrantTypes("password", "refresh_token")
.resourceIds("oauth2-resource");
}
}
I guess you'll have to add the required restricions on other urls :
http.authorizeRequests().antMatchers("/api/books","/api/plainOffers","/api/offers","/api/public/*").permitAll();
http.authorizeRequests().anyRequest().authenticated().and().httpBasic();
I would like to point out that if you have provided resource_id = api then remove /api and add urls like this ("/books","/plainOffers","/offers","/public/*") in rules.
Then it will work.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.