Java Spring Boot OAuth2资源服务器-难以创建可公开访问的路径
我正在试验Spring Boot安全性OAuth2。我想公开一些路径;也就是说,不需要身份验证。但是,我收到以下错误:Java Spring Boot OAuth2资源服务器-难以创建可公开访问的路径,java,spring-boot,spring-security,spring-security-oauth2,Java,Spring Boot,Spring Security,Spring Security Oauth2,我正在试验Spring Boot安全性OAuth2。我想公开一些路径;也就是说,不需要身份验证。但是,我收到以下错误: {“error”:“unauthorized”,“error_description”:“访问此资源需要完全身份验证”} 公共控制员 @RequestMapping("/public") public class PublicController { @RequestMapping(method= RequestMethod.GET) public St
{“error”:“unauthorized”,“error_description”:“访问此资源需要完全身份验证”}
公共控制员
@RequestMapping("/public")
public class PublicController {
@RequestMapping(method= RequestMethod.GET)
public String test() {
return "Hello World!";
}
}
现在,通常这是一件好事(因为安全性是目标),但是,我已经明确告诉应用程序在该路径上执行permitAll()
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.password.PasswordEncoder;
import com.midamcorp.resource_server.service.OAuthUserDetailsService;
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private OAuthUserDetailsService userService;
@Autowired
private PasswordEncoder passwordEncoder;
@Bean
@Override
protected AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
// Hash password
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService)
.passwordEncoder(passwordEncoder);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers("/public/**")
.permitAll()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.httpBasic()
.realmName("test")
.and()
.csrf()
.disable();
}
}
我尝试了各种组合,包括使用antMatches(/**)和删除and()之后的部分。但是,我仍然收到相同的错误
谢谢
编辑:
ResourceServerConfig
@EnableResourceServer
@Configuration
public class ResourceServerConifig extends ResourceServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
private final AppConfig appConfig;
private AuthenticationManager authenticationManager;
@Autowired
public ResourceServerConifig(AuthenticationManager authenticationManager, AppConfig appConfig) {
this.authenticationManager = authenticationManager;
this.appConfig = appConfig;
}
@Bean
@Primary //Making this primary to avoid any accidental duplication with another token service instance of the same name
ResourceServerTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore);
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenServices(tokenServices());
}
}
应用程序配置
@Configuration
@EnableResourceServer
public class AppConfig {
@Bean
public TokenStore tokenStore() {
// return new JwtTokenStore(accessTokenConverter());
return new JwtTokenStore((jwtTokenEnhancer()));
}
@Bean
protected JwtAccessTokenConverter jwtTokenEnhancer() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
Resource resource = new ClassPathResource("public.cert");
String publicKey = null;
try {
publicKey = new String(FileCopyUtils.copyToByteArray(resource.getInputStream()));
} catch (IOException e) {
throw new RuntimeException(e);
}
converter.setVerifierKey(publicKey);
return converter;
}
}
在application.yml中,您可以添加以下内容:
security:
ignored: /public,/public/**
谢谢,但是在我的应用程序中添加了
security.ignored=/public,/public/**
。属性并没有解决这个问题(这让我有点吃惊)。Spring Boot的配置被@EnableWebSecurity
覆盖,所以属性不应该改变任何内容。我想这三个配置都在同一个web应用程序中。因此,您必须更改顺序和匹配器。默认情况下,资源服务器配置的顺序为3,并且与/**
匹配。您的自定义配置具有订单100,并且与/**
匹配。既然使用了JWT,这个应用程序还需要额外的AppConfig和SecurityConfig吗?只需要ResourceServerConfig。其他一切都由生成JWT令牌的AuthorizationServer处理。@EnableResourceServer不需要令牌存储、令牌服务或AuthenticationManager。@dur更改顺序(通过@order(n)
注释)确实解决了问题。感谢您的洞察力,也感谢DaShaun的帮助。