Java spring安全性返回401个请求().anyRequest().permitAll()
我正在使用Java spring安全性返回401个请求().anyRequest().permitAll(),java,spring,spring-security,jwt,spring-oauth2,Java,Spring,Spring Security,Jwt,Spring Oauth2,我正在使用spring-security和spring-security-oauth2(JWT访问令牌)进行身份验证和授权。其思想是让所有请求都通过,但能够区分经过身份验证的用户和未经身份验证的用户。一旦我启用@EnableResourceServer我配置的HttpSecurity似乎就会被忽略。并请求返回401: { "error": "unauthorized", "error_description": "Full authentication is required t
spring-security
和spring-security-oauth2
(JWT访问令牌)进行身份验证和授权。其思想是让所有请求都通过,但能够区分经过身份验证的用户和未经身份验证的用户。一旦我启用@EnableResourceServer
我配置的HttpSecurity
似乎就会被忽略。并请求返回401:
{
"error": "unauthorized",
"error_description": "Full authentication is required to access this resource"
}
以下是配置:
@SpringBootApplication
@EnableJpaRepositories
@ComponentScan
@EntityScan
@EnableWebSecurity
public class Application {
public static void main(final String[] args) {
new SpringApplicationBuilder(Application.class).bannerMode(Banner.Mode.OFF).run(args);
}
@EnableResourceServer
public static class SecurityConfig extends WebSecurityConfigurerAdapter implements JwtAccessTokenConverterConfigurer {
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().anyRequest().permitAll();
}
@Override
public void configure(final JwtAccessTokenConverter converter) {
final DefaultAccessTokenConverter conv = new DefaultAccessTokenConverter();
conv.setUserTokenConverter(userAuthenticationConverter());
converter.setAccessTokenConverter(conv);
}
@Bean
public UserAuthenticationConverter userAuthenticationConverter() {
return new ResourceAuthenticationConverter();
}
}
你快到了。这是一个简单的解决方案-提供了以下答案: 用户应该添加此注释并提供类型为的@Bean ResourceServerConfigurer(例如,通过ResourceServerConfigurerAdapter) 指定资源的详细信息(URL路径和资源 id) 但是,您使用的是
websecurityConfigureAdapter
。只需将其更改为ResourceServerConfigurerAdapter
,并增强configure
的可见性:
@EnableResourceServer
public static class SecurityConfig extends ResourceServerConfigurerAdapter implements JwtAccessTokenConverterConfigurer {
// snip
@Override
public void configure(final HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().anyRequest().permitAll();
}
// snip