Spring boot Spring Boot OAuth2 ResourceServer 401与PermitAll
设置是这样的:作为身份验证服务器,我得到了一个密钥斗篷,作为API网关,我使用SpringCloudGateway和Netflix Eureka客户端作为DiscoveryClient。当然,我需要usermanagement,一个“简单”的注册,用于未经身份验证的用户,并将用户注册为具有管理员角色的用户。资源服务器(Usermanagementservice)的WebSecurity配置如下所示:Spring boot Spring Boot OAuth2 ResourceServer 401与PermitAll,spring-boot,spring-security,spring-security-oauth2,Spring Boot,Spring Security,Spring Security Oauth2,设置是这样的:作为身份验证服务器,我得到了一个密钥斗篷,作为API网关,我使用SpringCloudGateway和Netflix Eureka客户端作为DiscoveryClient。当然,我需要usermanagement,一个“简单”的注册,用于未经身份验证的用户,并将用户注册为具有管理员角色的用户。资源服务器(Usermanagementservice)的WebSecurity配置如下所示: @EnableGlobalMethodSecurity(securedEnabled=true,
@EnableGlobalMethodSecurity(securedEnabled=true, prePostEnabled=true)
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception
{
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(new KeycloakRoleConverter());
http
.authorizeRequests()
.antMatchers("/register/**")
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/usermanagementservice/**")
.hasAnyRole("admin", "anotherrole")
.anyRequest()
.authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter);
}
}
@RestController
@RequestMapping("/register")
public class RegisterController {
@Autowired
private Service service;
@GetMapping("/status")
public boolean checkStatus()
{
return true;
}
@PostMapping("/create")
public Response createUser(@RequestBody User user)
{
return service.doSomething(user);
}
}
RegisterController如下所示:
@EnableGlobalMethodSecurity(securedEnabled=true, prePostEnabled=true)
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception
{
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(new KeycloakRoleConverter());
http
.authorizeRequests()
.antMatchers("/register/**")
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/usermanagementservice/**")
.hasAnyRole("admin", "anotherrole")
.anyRequest()
.authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter);
}
}
@RestController
@RequestMapping("/register")
public class RegisterController {
@Autowired
private Service service;
@GetMapping("/status")
public boolean checkStatus()
{
return true;
}
@PostMapping("/create")
public Response createUser(@RequestBody User user)
{
return service.doSomething(user);
}
}
因此,如果一切都在运行,并且我向本地主机上的API网关发出getRequest:8083/register/status,我将返回布尔值作为响应,如果我向网关发送带有Json对象的POST请求,我将获得401未授权,我在WebSecurityConfig中添加了@Order(1)注释,没有任何更改,例如。我试着去阅读,并且不忘。但是一点运气都没有(如有任何帮助,将不胜感激。提前非常感谢。)
WebSecurityConfig.class的configure方法中缺少了一部分。非常感谢@jzheaux的指导。请分享有关
POST
请求的更多详细信息?有关更多详细信息,请在授权请求
部分中允许使用/error
端点。您也可以考虑打开Spring Security的跟踪日志。@ JZAUX非常感谢您使用Logger-STACK.Trink的想法…我只是个大三学生:D错误是因为csrf没有被禁用。。。非常感谢您,所以“http.csrf.disable”是解决方案……每次都让我感动。