如何解决spring security JWT公共资源身份验证上的403问题
我试图在SpringBootAPI中使用SpringSecurity实现基于JWT的身份验证,但我不知道我做错了什么。在我的实现中,我允许访问如何解决spring security JWT公共资源身份验证上的403问题,spring,spring-boot,spring-security,Spring,Spring Boot,Spring Security,我试图在SpringBootAPI中使用SpringSecurity实现基于JWT的身份验证,但我不知道我做错了什么。在我的实现中,我允许访问auth/**资源,但当我请求时,例如,/auth/login,我会得到403。它似乎忽视了“公共”资源 csrf()被禁用 这是存储库: 我启用了调试模式,这就是我得到的: Request received for POST '/auth/login?username=wally&password=wally': org.apache.cata
auth/**
资源,但当我请求时,例如,/auth/login
,我会得到403。它似乎忽视了“公共”资源
csrf()
被禁用
这是存储库:
我启用了调试模式,这就是我得到的:
Request received for POST '/auth/login?username=wally&password=wally':
org.apache.catalina.connector.RequestFacade@585d8cc6
servletPath:/auth/login
pathInfo:null
headers:
user-agent: PostmanRuntime/7.26.8
accept: */*
postman-token: 91c2a071-a353-4d77-9c7c-b04a43b94081
host: localhost:8091
accept-encoding: gzip, deflate, br
connection: keep-alive
content-length: 0
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
JwtFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
2020-12-22 20:21:15.919 DEBUG 6288 --- [nio-8091-exec-2] o.s.security.web.FilterChainProxy : Securing POST /auth/login?username=wally&password=wally
2020-12-22 20:21:15.937 DEBUG 6288 --- [nio-8091-exec-2] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2020-12-22 20:21:15.948 DEBUG 6288 --- [nio-8091-exec-2] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2020-12-22 20:21:15.960 INFO 6288 --- [nio-8091-exec-2] Spring Security Debugger :
************************************************************
Request received for POST '/error?username=wally&password=wally':
org.apache.catalina.core.ApplicationHttpRequest@6d88bc8c
servletPath:/error
pathInfo:null
headers:
user-agent: PostmanRuntime/7.26.8
accept: */*
postman-token: 91c2a071-a353-4d77-9c7c-b04a43b94081
host: localhost:8091
accept-encoding: gzip, deflate, br
connection: keep-alive
content-length: 0
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
JwtFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
2020-12-22 20:21:15.961 DEBUG 6288 --- [nio-8091-exec-2] o.s.security.web.FilterChainProxy : Securing POST /error?username=wally&password=wally
2020-12-22 20:21:15.961 DEBUG 6288 --- [nio-8091-exec-2] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2020-12-22 20:21:15.967 DEBUG 6288 --- [nio-8091-exec-2] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2020-12-22 20:21:15.998 DEBUG 6288 --- [nio-8091-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor : Failed to authorize filter invocation [POST /error?username=wally&password=wally] with attributes [authenticated]
2020-12-22 20:21:16.022 DEBUG 6288 --- [nio-8091-exec-2] o.s.s.w.a.Http403ForbiddenEntryPoint : Pre-authenticated entry point called. Rejecting access
2020-12-22 20:21:16.025 DEBUG 6288 --- [nio-8091-exec-2] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
您的@Configuration类必须实现webmvcconfiguer
编辑还可以通过使用
@EnableWebSecurity
对config类进行注释来启用该类中的Web安全性,但它是否需要实现其任何方法?到目前为止,这些更改似乎还不起作用。您是否已使用注释@EnableWebSecurity
启用了Web安全性?dm_tr实际上只是添加了您提供的方法使其起作用。我已经在使用注释,不需要实现接口。我只是想理解为什么它只适用于这种方法。谢谢忽略告诉您的安全上下文不要控制antMatchers中的URL。如果这回答了您的问题,请将其标记为正确答案,以帮助未来的读者。快乐编码
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/assets/**",);
}