stackoom
  简体   繁体   中英

Spring Security Oauth2 all urls are permitted

 原文  2017-11-27 13:35:50       java/ spring/ spring-boot/ spring-security/ oauth-2.0

Question

I would like to make some urls of my api public. But once I configure one single url, all my api become exposed without authorization.

Below my configure method of ResourceServerConfiguration class : 

 @Override
 public void configure(HttpSecurity http) throws Exception {

      http
     .authorizeRequests()
              .antMatchers("/api/books","/api/plainOffers","/api/offers","/api/public/*").permitAll();
}

ResourceServer configuration : 

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends    ResourceServerConfigurerAdapter {


@Override
public void configure(HttpSecurity http) throws Exception {


      http.authorizeRequests().antMatchers("/api/books").permitAll();   
      http.authorizeRequests().antMatchers("/api/plainOffers").permitAll(); 
      http.authorizeRequests().antMatchers("/api/offers").permitAll();  
      http.authorizeRequests().antMatchers("/api/public/*").permitAll();    
      //http.authorizeRequests().anyRequest().authenticated().and().httpBasic();
}
}

Authorization server : 

@CrossOrigin
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig 
    extends AuthorizationServerConfigurerAdapter{

@Autowired
@Qualifier("userDetailsService")
private UserDetailsService userDetailsService;


@Autowired
private AuthenticationManager authenticationManager;

@Value("${api.oauth.tokenTimeout:3600}")
private int expiration;

@Override
public void configure(AuthorizationServerEndpointsConfigurer configurer) throws Exception {
    configurer.authenticationManager(authenticationManager);
    configurer.userDetailsService(userDetailsService);
}

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    clients.inMemory()
    .withClient("api")
    .secret("secret")
    .accessTokenValiditySeconds(expiration)
    .scopes("read", "write")
    .authorizedGrantTypes("password", "refresh_token")
    .resourceIds("oauth2-resource");
}
}

2 answers

solution1
 0  2017-11-27 14:16:03

I guess you'll have to add the required restricions on other urls : 

http.authorizeRequests().antMatchers("/api/books","/api/plainOffers","/api/offers","/api/public/*").permitAll();
http.authorizeRequests().anyRequest().authenticated().and().httpBasic();

solution2
 0  2019-02-04 17:37:55

I would like to point out that if you have provided resource_id = api then remove /api and add urls like this ("/books","/plainOffers","/offers","/public/*") in rules.

Then it will work.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question In Spring Security config Urls which are permitted for all are not accessable and redirecting to login Spring Security OAuth2 cookies Oauth2 with Spring Security - UserRedirectRequiredException Spring Security OAuth2 InvalidGrantException Spring Security OAuth2 | InsufficientAuthenticationException OAuth2 with Spring Security - InsufficientAuthenticationException okta oauth2 Spring security all protected pages redirect to login Spring security OAuth2 implementation Upgrading Spring Security OAuth2 Oauth2 Client in Spring security
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM