Spring boot JHipster微服务CORS

有没有办法通过网关访问microservice API而无需身份验证？例如，如果我有一个公共登录页，需要从microserviceapi读取数据。我启用了CORS并通过Swagger测试了API，它在gateway应用程序中运行良好；但是，如果使用CURL调用API，则会出现未经授权的错误

这是我尝试执行的CURL命令：

curl -X 'GET' \
  'http://localhost:8080/services/tajvoteservice/api/landing-page-by-organizations' \
  -H 'accept: */*' \
  -H 'X-XSRF-TOKEN: 5d3e3faf-3a3d-4905-bdea-f5ce305d3672'

这是我得到的错误：

{"type":"https://www.jhipster.tech/problem/problem-with-message","title":"Unauthorized","status":401,"detail":"Not Authenticated","path":"/services/tajvoteservice/api/landing-page-by-organizations","message":"error.http.401"}%

这是我的SecurityConfiguration.java配置方法：

    @Override
    public void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
            .csrf()
            .disable()
            .exceptionHandling()
                .authenticationEntryPoint(problemSupport)
                .accessDeniedHandler(problemSupport)
        .and()
            .headers()
            .contentSecurityPolicy(jHipsterProperties.getSecurity().getContentSecurityPolicy())
        .and()
            .referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
        .and()
            .featurePolicy("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; fullscreen 'self'; payment 'none'")
        .and()
            .frameOptions()
            .deny()
        .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
            .authorizeRequests()
            .antMatchers("/api/auth-info").permitAll()
            .antMatchers("/api/admin/**").hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/api/landing-page-by-organizations/**").permitAll()
            .antMatchers("/api/**").authenticated()
            .antMatchers("/management/health").permitAll()
            .antMatchers("/management/health/**").permitAll()
            .antMatchers("/management/info").permitAll()
            .antMatchers("/management/prometheus").permitAll()
            .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
        .and()
            .oauth2ResourceServer()
                .jwt()
                .jwtAuthenticationConverter(authenticationConverter())
                .and()
            .and()
                .oauth2Client();
        // @formatter:on
    }

---

请告知。

谢谢您，马齐奥先生。我在网关的SecurityConfiguration.java中的springSecurityFilterChain方法中添加了路径匹配器：

          .pathMatchers("/services/tajvoteservice/api/landing-page-by-organizations/**").permitAll()

因此，我的网关安全配置的springSecurityFilterChain方法如下所示：

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        // @formatter:off
        http
            .securityMatcher(new NegatedServerWebExchangeMatcher(new OrServerWebExchangeMatcher(
                pathMatchers("/app/**", "/i18n/**", "/content/**", "/swagger-ui/**", "/swagger-resources/**", "/v2/api-docs", "/v3/api-docs", "/test/**"),
                pathMatchers(HttpMethod.OPTIONS, "/**")
            )))
            .csrf()
                .csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
        .and()
            // See https://github.com/spring-projects/spring-security/issues/5766
            .addFilterAt(new CookieCsrfFilter(), SecurityWebFiltersOrder.REACTOR_CONTEXT)
            .addFilterAt(new SpaWebFilter(), SecurityWebFiltersOrder.AUTHENTICATION)
            .exceptionHandling()
                .accessDeniedHandler(problemSupport)
                .authenticationEntryPoint(problemSupport)
        .and()
            .headers()
            .contentSecurityPolicy(jHipsterProperties.getSecurity().getContentSecurityPolicy())
            .and()
                .referrerPolicy(ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
            .and()
                .featurePolicy("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; fullscreen 'self'; payment 'none'")
            .and()
                .frameOptions().disable()
        .and()
            .authorizeExchange()
            .pathMatchers("/").permitAll()
            .pathMatchers("/*.*").permitAll()
            .pathMatchers("/api/auth-info").permitAll()
            .pathMatchers("/services/tajvoteservice/api/landing-page-by-organizations/**").permitAll()
            .pathMatchers("/api/admin/**").hasAuthority(AuthoritiesConstants.ADMIN)
            .pathMatchers("/api/**").authenticated()
            .pathMatchers("/services/**").authenticated()
            .pathMatchers("/management/health").permitAll()
            .pathMatchers("/management/health/**").permitAll()
            .pathMatchers("/management/info").permitAll()
            .pathMatchers("/management/prometheus").permitAll()
            .pathMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN);

        http.oauth2Login()
            .and()
            .oauth2ResourceServer()
                .jwt()
                .jwtAuthenticationConverter(jwtAuthenticationConverter());
        http.oauth2Client();

        // WebFlux
        http.redirectToHttps(redirect -> redirect
            .httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")));

        // @formatter:on
        return http.build();
    }

现在我可以运行CURL命令：

curl -X 'GET' \
  'http://localhost:8080/services/tajvoteservice/api/landing-page-by-organizations/acfad1dd-2570-4900-a5c2-8f496f88527c' 

瞧，我有JSON数据和组织信息

---

再次感谢你，Marziou先生

您是否检查了触发http 401:网关或服务的应用程序？谢谢您的提问。它来自网关。我通过关闭服务并运行CURL命令来测试这一点；我仍然收到相同的错误。但是您添加到SecurityConfiguration的permitAll（）是来自microservice的，对吗？你在gateway也试过这样做吗？ant matcher应该类似于“/services/tajvoteservice/api/landing page by organizations”。另外，我不明白你为什么在关于授权的问题中提到CORS。我的CORS问题是：对于仅来自www.travelodgefloridacity.com上托管的客户端的“GET”请求，如何限制对“”的访问？Marziou先生概述的解决方案及其在此StackOverflow线程中显示的实现代码将资源“”打开给任何连接到Internet的任意客户端。很高兴它成功了！