![](/img/trans.png)
[英]In Spring Security config Urls which are permitted for all are not accessable and redirecting to login
[英]Spring Security Oauth2 all urls are permitted
我想公开我的api的一些网址。 但是,一旦我配置了单个网址,所有我的api都会在未经授权的情况下公开。
在我的ResourceServerConfiguration类的configure方法下面:
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/books","/api/plainOffers","/api/offers","/api/public/*").permitAll();
}
ResourceServer配置:
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/api/books").permitAll();
http.authorizeRequests().antMatchers("/api/plainOffers").permitAll();
http.authorizeRequests().antMatchers("/api/offers").permitAll();
http.authorizeRequests().antMatchers("/api/public/*").permitAll();
//http.authorizeRequests().anyRequest().authenticated().and().httpBasic();
}
}
授权服务器:
@CrossOrigin
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig
extends AuthorizationServerConfigurerAdapter{
@Autowired
@Qualifier("userDetailsService")
private UserDetailsService userDetailsService;
@Autowired
private AuthenticationManager authenticationManager;
@Value("${api.oauth.tokenTimeout:3600}")
private int expiration;
@Override
public void configure(AuthorizationServerEndpointsConfigurer configurer) throws Exception {
configurer.authenticationManager(authenticationManager);
configurer.userDetailsService(userDetailsService);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("api")
.secret("secret")
.accessTokenValiditySeconds(expiration)
.scopes("read", "write")
.authorizedGrantTypes("password", "refresh_token")
.resourceIds("oauth2-resource");
}
}
我想您必须在其他网址上添加所需的限制:
http.authorizeRequests().antMatchers("/api/books","/api/plainOffers","/api/offers","/api/public/*").permitAll();
http.authorizeRequests().anyRequest().authenticated().and().httpBasic();
我想指出的是,如果您提供了resource_id = api,请删除/ api并在规则中添加如下网址(例如“ / books”,“ / plainOffers”,“ / offers”,“ / public / *”)。
然后它将起作用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.