Spring mvc 弹簧安全钳不工作

Spring security antMatcher未按预期工作

我正在用kotlin运行Spring启动应用程序 当我试图访问

/service status/v1/task/status

我已经在AntMatcherPermit的下面代码中添加了这个url

这给了我未经授权的错误

@Configuration
@EnableWebSecurity
class SecurityConfig(val authenticationEntryPoint: AuthenticationEntryPoint) : WebSecurityConfigurerAdapter() {

    @Autowired
    @Throws(Exception::class)
    fun configureGlobal(auth: AuthenticationManagerBuilder) {
        auth.inMemoryAuthentication()
                .withUser("user").password(passwordEncoder().encode("pass"))
                .authorities("ROLE_USER")
    }

    @Throws(Exception::class)
    override fun configure(http: HttpSecurity?) {
        http?.csrf()?.disable()
                ?.authorizeRequests()
                ?.antMatchers(
                        "/",
                        "/service-status/v1/task/status",
                        "/*.html",
                        "/*.js",
                        "/favicon.ico",
                        "/**/*.html",
                        "/**/*.css",
                        "/**/*.png",
                        "/webjars/**",
                        "/configuration/**",
                        "/v2/**",
                        "/swagger-resources/**",
                        "/**/*.js")?.permitAll()
                ?.anyRequest()?.authenticated()
                ?.and()
                ?.httpBasic()
                ?.authenticationEntryPoint(authenticationEntryPoint)
    }


    @Bean
    fun passwordEncoder(): PasswordEncoder {
        return BCryptPasswordEncoder()
    }


}

获取错误如下所示

{
    "timestamp": "2019-05-09T08:37:25.976+0000",
    "status": 401,
    "error": "Unauthorized",
    "message": "Unauthorized",
    "path": "/service-status/v1/task/status"
}

身份验证入口点

@Component
class AuthenticationEntryPoint : BasicAuthenticationEntryPoint(){
    override fun commence(request: HttpServletRequest?, response: HttpServletResponse?, authException: AuthenticationException?) {
        response?.addHeader("WWW-Authenticate", "Basic realm=$realmName")
        response?.status = HttpServletResponse.SC_UNAUTHORIZED
        response?.writer?.println("HTTP Status 401 - " + authException?.message)
    }

    override fun afterPropertiesSet() {
        realmName = "service-status"
        super.afterPropertiesSet()
    }
}

---

如何解决这个问题？

我已经添加了下面两行，现在它可以工作了

.antMatchers("/service-status/v1/task/status").permitAll()
.antMatchers("/service-status/v1/task/status/**").permitAll()

完整形式

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint).and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .authorizeRequests()
                .antMatchers(
                        HttpMethod.GET,
                        "/",
                        "/csrf",
                        "/service-status/v1/task/status",
                        "/swagger-ui.html",
                        "/*.html",
                        "/*.js",
                        "/favicon.ico",
                        "/**/*.html",
                        "/**/*.css",
                        "/**/*.png",
                        "/webjars/**",
                        "/configuration/**",
                        "/v2/**",
                        "/swagger-resources/**",
                        "/**/*.js"
                ).permitAll()
                .antMatchers("/api/v1/auth/**").permitAll()
                .antMatchers("/service-status/v1/task/status").permitAll()
                .antMatchers("/service-status/v1/task/status/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .httpBasic();
        http.headers().cacheControl();
    }

---

您是否在请求中发送了HTTP

Authentication

头？您使用Spring Boot吗？在我看来，调用的顺序很重要，也许您可以反转antMatcher（“”.permitAll和anyRequest（）.authenticated（）。您可以将HttpSecurity参数设置为不可为null。我使用的是spring boot，我不发送任何头文件