Fatal编程技术网
  • java/
  • Java spring安全性返回401个请求().anyRequest().permitAll()

Java spring安全性返回401个请求().anyRequest().permitAll()

java spring spring-security jwt

Java spring安全性返回401个请求().anyRequest().permitAll(),java,spring,spring-security,jwt,spring-oauth2,Java,Spring,Spring Security,Jwt,Spring Oauth2,我正在使用spring-security和spring-security-oauth2(JWT访问令牌)进行身份验证和授权。其思想是让所有请求都通过,但能够区分经过身份验证的用户和未经身份验证的用户。一旦我启用@EnableResourceServer我配置的HttpSecurity似乎就会被忽略。并请求返回401: { "error": "unauthorized", "error_description": "Full authentication is required t

我正在使用
spring-security
spring-security-oauth2
(JWT访问令牌)进行身份验证和授权。其思想是让所有请求都通过,但能够区分经过身份验证的用户和未经身份验证的用户。一旦我启用
@EnableResourceServer
我配置的
HttpSecurity
似乎就会被忽略。并请求返回401:

{
    "error": "unauthorized",
    "error_description": "Full authentication is required to access this resource"
}
以下是配置:

@SpringBootApplication
@EnableJpaRepositories
@ComponentScan
@EntityScan
@EnableWebSecurity
public class Application {

    public static void main(final String[] args) {
        new SpringApplicationBuilder(Application.class).bannerMode(Banner.Mode.OFF).run(args);
    }

    @EnableResourceServer
    public static class SecurityConfig extends WebSecurityConfigurerAdapter implements JwtAccessTokenConverterConfigurer {

        @Override
        protected void configure(final HttpSecurity http) throws Exception {
            http.csrf().disable();
            http.authorizeRequests().anyRequest().permitAll();
        }

        @Override
        public void configure(final JwtAccessTokenConverter converter) {
            final DefaultAccessTokenConverter conv = new DefaultAccessTokenConverter();
            conv.setUserTokenConverter(userAuthenticationConverter());
            converter.setAccessTokenConverter(conv);

        }

        @Bean
        public UserAuthenticationConverter userAuthenticationConverter() {
            return new ResourceAuthenticationConverter();
        }
    }
你快到了。这是一个简单的解决方案-提供了以下答案:

用户应该添加此注释并提供类型为的@Bean ResourceServerConfigurer(例如,通过ResourceServerConfigurerAdapter) 指定资源的详细信息(URL路径和资源 id)

但是,您使用的是
websecurityConfigureAdapter
。只需将其更改为
ResourceServerConfigurerAdapter
,并增强
configure
的可见性:

@EnableResourceServer
public static class SecurityConfig extends ResourceServerConfigurerAdapter implements JwtAccessTokenConverterConfigurer {
// snip
        @Override
        public void configure(final HttpSecurity http) throws Exception {
            http.csrf().disable();
            http.authorizeRequests().anyRequest().permitAll();
        }
// snip