堆栈内存溢出
  繁体   English   中英

Spring Security Oauth2允许所有URL

[英]Spring Security Oauth2 all urls are permitted

 原文  2017-11-27 13:35:50       java/ spring/ spring-boot/ spring-security/ oauth-2.0

问题描述

我想公开我的api的一些网址。 但是,一旦我配置了单个网址,所有我的api都会在未经授权的情况下公开。

在我的ResourceServerConfiguration类的configure方法下面: 

 @Override
 public void configure(HttpSecurity http) throws Exception {

      http
     .authorizeRequests()
              .antMatchers("/api/books","/api/plainOffers","/api/offers","/api/public/*").permitAll();
}

ResourceServer配置: 

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends    ResourceServerConfigurerAdapter {


@Override
public void configure(HttpSecurity http) throws Exception {


      http.authorizeRequests().antMatchers("/api/books").permitAll();   
      http.authorizeRequests().antMatchers("/api/plainOffers").permitAll(); 
      http.authorizeRequests().antMatchers("/api/offers").permitAll();  
      http.authorizeRequests().antMatchers("/api/public/*").permitAll();    
      //http.authorizeRequests().anyRequest().authenticated().and().httpBasic();
}
}

授权服务器: 

@CrossOrigin
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig 
    extends AuthorizationServerConfigurerAdapter{

@Autowired
@Qualifier("userDetailsService")
private UserDetailsService userDetailsService;


@Autowired
private AuthenticationManager authenticationManager;

@Value("${api.oauth.tokenTimeout:3600}")
private int expiration;

@Override
public void configure(AuthorizationServerEndpointsConfigurer configurer) throws Exception {
    configurer.authenticationManager(authenticationManager);
    configurer.userDetailsService(userDetailsService);
}

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    clients.inMemory()
    .withClient("api")
    .secret("secret")
    .accessTokenValiditySeconds(expiration)
    .scopes("read", "write")
    .authorizedGrantTypes("password", "refresh_token")
    .resourceIds("oauth2-resource");
}
}

2 个解决方案

解决方案1
 0  2017-11-27 14:16:03

我想您必须在其他网址上添加所需的限制: 

http.authorizeRequests().antMatchers("/api/books","/api/plainOffers","/api/offers","/api/public/*").permitAll();
http.authorizeRequests().anyRequest().authenticated().and().httpBasic();

解决方案2
 0  2019-02-04 17:37:55

我想指出的是,如果您提供了resource_id = api,请删除/ api并在规则中添加如下网址(例如“ / books”,“ / plainOffers”,“ / offers”,“ / public / *”)。

然后它将起作用。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 Spring Security 配置中,所有人都允许的 URL 不可访问并重定向到登录 Spring Security OAuth2 cookie 具有弹簧安全性的Oauth2-UserRedirectRequiredException Spring Security OAuth2 InvalidGrantException Spring Security OAuth2 | InsufficientAuthenticationException 具有弹簧安全性的OAuth2-InsufficientAuthenticationException okta oauth2 Spring 安全 所有受保护的页面重定向到登录 Spring Security OAuth2实现 升级Spring Security OAuth2 Spring安全中的Oauth2客户端
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM