Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/spring-boot/5.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Java Spring Boot OAuth2资源服务器-难以创建可公开访问的路径_Java_Spring Boot_Spring Security_Spring Security Oauth2 - Fatal编程技术网
Fatal编程技术网
  • java/
  • Java Spring Boot OAuth2资源服务器-难以创建可公开访问的路径

Java Spring Boot OAuth2资源服务器-难以创建可公开访问的路径

java spring-boot spring-security

Java Spring Boot OAuth2资源服务器-难以创建可公开访问的路径,java,spring-boot,spring-security,spring-security-oauth2,Java,Spring Boot,Spring Security,Spring Security Oauth2,我正在试验Spring Boot安全性OAuth2。我想公开一些路径;也就是说,不需要身份验证。但是,我收到以下错误: {“error”:“unauthorized”,“error_description”:“访问此资源需要完全身份验证”} 公共控制员 @RequestMapping("/public") public class PublicController { @RequestMapping(method= RequestMethod.GET) public St

我正在试验Spring Boot安全性OAuth2。我想公开一些路径;也就是说,不需要身份验证。但是,我收到以下错误:

{“error”:“unauthorized”,“error_description”:“访问此资源需要完全身份验证”}

公共控制员

    @RequestMapping("/public")
public class PublicController {
    @RequestMapping(method= RequestMethod.GET)
    public String test() {
        return "Hello World!";
    }
}
现在,通常这是一件好事(因为安全性是目标),但是,我已经明确告诉应用程序在该路径上执行permitAll()

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.password.PasswordEncoder;

import com.midamcorp.resource_server.service.OAuthUserDetailsService;


@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private OAuthUserDetailsService userService;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Bean
    @Override
    protected AuthenticationManager authenticationManager() throws Exception {
        return super.authenticationManager();
}

    // Hash password
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userService)
        .passwordEncoder(passwordEncoder);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
       http
       .authorizeRequests().antMatchers("/public/**")
       .permitAll()
       .and()
              .sessionManagement()
               .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
               .and()
               .httpBasic()
               .realmName("test")
               .and()
               .csrf()
               .disable();

    }
}
我尝试了各种组合,包括使用antMatches(/**)和删除and()之后的部分。但是,我仍然收到相同的错误

谢谢

编辑:

ResourceServerConfig

@EnableResourceServer
@Configuration
public class ResourceServerConifig extends ResourceServerConfigurerAdapter {

    @Autowired
    private TokenStore tokenStore;

     private final AppConfig appConfig; 

    private AuthenticationManager authenticationManager;

    @Autowired
    public  ResourceServerConifig(AuthenticationManager authenticationManager, AppConfig appConfig) {
        this.authenticationManager = authenticationManager;
        this.appConfig = appConfig;
    }


    @Bean
    @Primary //Making this primary to avoid any accidental duplication with another token service instance of the same name
   ResourceServerTokenServices tokenServices() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore);
        defaultTokenServices.setSupportRefreshToken(true);
        return defaultTokenServices;
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.tokenServices(tokenServices());
    }   


}
应用程序配置

@Configuration
@EnableResourceServer
public class AppConfig {

       @Bean
       public TokenStore tokenStore() {
        //  return new JwtTokenStore(accessTokenConverter());
           return new JwtTokenStore((jwtTokenEnhancer()));
       }


        @Bean
        protected JwtAccessTokenConverter jwtTokenEnhancer() {
            JwtAccessTokenConverter converter =  new JwtAccessTokenConverter();
            Resource resource = new ClassPathResource("public.cert");
            String publicKey = null;
            try {
                publicKey = new String(FileCopyUtils.copyToByteArray(resource.getInputStream()));
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
            converter.setVerifierKey(publicKey);
            return converter;
        }

}
在application.yml中,您可以添加以下内容:

security:
  ignored: /public,/public/**
谢谢,但是在我的应用程序中添加了
security.ignored=/public,/public/**
。属性并没有解决这个问题(这让我有点吃惊)。Spring Boot的配置被
@EnableWebSecurity
覆盖,所以属性不应该改变任何内容。我想这三个配置都在同一个web应用程序中。因此,您必须更改顺序和匹配器。默认情况下,资源服务器配置的顺序为3,并且与
/**
匹配。您的自定义配置具有订单100,并且与
/**
匹配。既然使用了JWT,这个应用程序还需要额外的AppConfig和SecurityConfig吗?只需要ResourceServerConfig。其他一切都由生成JWT令牌的AuthorizationServer处理。@EnableResourceServer不需要令牌存储、令牌服务或AuthenticationManager。@dur更改顺序(通过
@order(n)
注释)确实解决了问题。感谢您的洞察力,也感谢DaShaun的帮助。