stackoom
  简体   繁体   中英

Spring Boot REST API 401 on public endpoint?

 原文  2020-01-18 21:12:22       java/ spring/ rest/ spring-boot/ spring-security

Question

I am getting 401 Unauthorized on not secured endpoint responsible for registering:

this is my Config class I use:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
//@FieldDefaults(level = PRIVATE, makeFinal = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    private static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher(
            new AntPathRequestMatcher("/public/**")
    );
    private static final RequestMatcher PROTECTED_URLS = new NegatedRequestMatcher(PUBLIC_URLS);

    @Autowired
    TokenAuthenticationProvider provider;

    SecurityConfig() {
        super();
        System.out.println("XXXXXXXXXXXX");
        System.out.println("XXXXXXXXXXXX");
        //this.provider = requireNonNull(provider);
    }

    @Override
    protected void configure(final AuthenticationManagerBuilder auth) {
        auth.authenticationProvider(provider);
    }

    @Override
    public void configure(final WebSecurity web) {
        web.ignoring().requestMatchers(PUBLIC_URLS);
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http
                .sessionManagement()
                .sessionCreationPolicy(STATELESS)
                .and()
                .exceptionHandling()
                // this entry point handles when you request a protected page and you are not yet
                // authenticated
                .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS)
                .and()
                .authenticationProvider(provider)
                .addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter.class)
                .authorizeRequests()
                .requestMatchers(PROTECTED_URLS)
                .authenticated()
                .and()
                .csrf().disable()
                .formLogin().disable()
                .httpBasic().disable()
                .logout().disable();
    }

    @Bean
    TokenAuthenticationProvider tokenAuthenticationProvider() {
        return new TokenAuthenticationProvider();
    }

    @Bean
    TokenAuthenticationFilter restAuthenticationFilter() throws Exception {
        final TokenAuthenticationFilter filter = new TokenAuthenticationFilter(PROTECTED_URLS);
        filter.setAuthenticationManager(authenticationManager());
        filter.setAuthenticationSuccessHandler(successHandler());
        return filter;
    }

    @Bean
    SimpleUrlAuthenticationSuccessHandler successHandler() {
        final SimpleUrlAuthenticationSuccessHandler successHandler = new SimpleUrlAuthenticationSuccessHandler();
        successHandler.setRedirectStrategy(new NoRedirectStrategy());
        return successHandler;
    }

    /**
     * Disable Spring boot automatic filter registration.
     */
    @Bean
    FilterRegistrationBean disableAutoRegistration(final TokenAuthenticationFilter filter) {
        final FilterRegistrationBean registration = new FilterRegistrationBean(filter);
        registration.setEnabled(false);
        return registration;
    }

    @Bean
    AuthenticationEntryPoint forbiddenEntryPoint() {
        return new HttpStatusEntryPoint(FORBIDDEN);
    }
}

So for now I have public endpoints responsible for registering and login, but I cannot access them via Postman and browser. Is something wrong with implementing this config class? What can cause this problem?

1 answers

solution1
 0  2020-01-19 06:06:02

Use configure(WebSecurity web) for publicly accessible endpoints, it will not apply the security filter chain for specified endpoints.

@Override
    public void configure(WebSecurity web) throws Exception {
        web
          .ignoring()
            .antMatchers("/public/**")
    }

OR Try to change the order for configure(final HttpSecurity http) . Add .requestMatchers(PROTECTED_URLS) before the filters and entrypoint.

@Override
    protected void configure(final HttpSecurity http) throws Exception {
        http
        .csrf().disable()
        .authorizeRequests()
        .requestMatchers(PROTECTED_URLS)
        .authenticated()
        .and()
        .exceptionHandling()
        .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS)
        .and()
        .sessionManagement()
        .sessionCreationPolicy(STATELESS)
        .and()
        .authenticationProvider(provider)
        .addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter.class)
        .formLogin().disable()
        .httpBasic().disable()
        .logout().disable();
    }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Boot REST API POST 401 Unauthorized Calling AirTable Rest API via Spring Boot returning 401 Android HttpURLConnection always unauthorized 401 response (Spring Boot REST API) Spring Boot Application - what is default timeout for any rest API endpoint or a easy config to control all endpoint timeout API Rest with Spring Boot 401- Unauthorized authentication using REST API Dynamics CRM with Azure AD from a Spring Boot app keycloak (spring boot) Not authenticating REST endpoint Spring Boot rest endpoint with path /error Spring Boot: Manage Multiple Endpoint with Rest Template? Spring boot rest controller endpoint not working
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM