Spring 404 oauth2成功授权后,找不到URI为的HTTP请求的映射
我对SpringRESTOAuth2配置有问题。Springs可以查看并映射我的URL,但在oauth2安全检查成功后,声明没有URL可匹配。但我不知道为什么,因为Spring在应用程序初始化中看到了这一点。 我能够正确地使用/oauth/token进行身份验证并生成token。 我无法处理不需要令牌授权的请求 Spring 4.0.6、Spring security 3.2.4、Spring-security-oauth2.0.1 来自上下文初始化的日志Spring 404 oauth2成功授权后,找不到URI为的HTTP请求的映射,spring,rest,oauth,spring-security-oauth2,Spring,Rest,Oauth,Spring Security Oauth2,我对SpringRESTOAuth2配置有问题。Springs可以查看并映射我的URL,但在oauth2安全检查成功后,声明没有URL可匹配。但我不知道为什么,因为Spring在应用程序初始化中看到了这一点。 我能够正确地使用/oauth/token进行身份验证并生成token。 我无法处理不需要令牌授权的请求 Spring 4.0.6、Spring security 3.2.4、Spring-security-oauth2.0.1 来自上下文初始化的日志 2014-08-29 08:56:26
2014-08-29 08:56:26.415 [Scanner-1] INFO o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped "{[/api/users/{email}],methods=[PUT],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.util.concurrent.Callable<org.springframework.http.ResponseEntity> com.example.user.UserCommandsController.update(java.lang.String)
2014-08-29 08:56:26.416 [Scanner-1] INFO o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped "{[/api/users/{email}],methods=[DELETE],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.util.concurrent.Callable<org.springframework.http.ResponseEntity> com.example.user.UserCommandsController.delete(java.lang.String)
2014-08-29 08:56:26.416 [Scanner-1] INFO o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped "{[/api/users/logout],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.util.concurrent.Callable<org.springframework.http.ResponseEntity> com.example.user.UserCommandsController.logout()
2014-08-29 08:56:26.416 [Scanner-1] INFO o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped "{[/api/users],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.util.concurrent.Callable<org.springframework.http.ResponseEntity<java.lang.Void>> com.example.user.UserCommandsController.signup(java.lang.String,java.lang.String)
和配置
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId("sample-resource-id");
}
@Override
public void configure(final HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
.requestMatchers()
.antMatchers(HttpMethod.POST, "/api/buildings/**")
.antMatchers(HttpMethod.DELETE, "/api/**")
.antMatchers(HttpMethod.PATCH, "/api/**")
.antMatchers(HttpMethod.PUT, "/api/**")
.and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/api/buildings/**").access("hasRole('ROLE_USER')")
.antMatchers(HttpMethod.DELETE, "/api/**").access("hasRole('ROLE_USER')")
.antMatchers(HttpMethod.PATCH, "/api/**").access("hasRole('ROLE_USER')")
.antMatchers(HttpMethod.PUT, "/api/**").access("hasRole('ROLE_USER')");
}
}
@Controller
@EnableWebSecurity
@Profile("default")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
/**
* By default all request need authentication. Only those which do not need it, shall be specified explicitly.
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
.csrf().disable();
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/api/buildings/**").permitAll()//to consider anonymous()
.antMatchers(HttpMethod.POST, "/api/users").permitAll()//to consider anonymous()
.antMatchers("/api/admin/**").hasRole("ADMIN")
.anyRequest().authenticated();
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/app/**","/webjars/**", "/images/**", "/oauth/uncache_approvals", "/oauth/cache_approvals");
}
@Override
@Bean(name = "authenticationManagerBean")
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
用户控制器的一部分
@RestController
@RequestMapping("/api")
public class UserCommandsController {
private final UserService userService;
private AccountRecoveryMailer accountRecoveryMailer;
private MessageSource messageSource;
@Inject
public UserCommandsController(final UserService userService, final AccountRecoveryMailer accountRecoveryMailer,
final MessageSource messageSource) {
this.userService = userService;
this.accountRecoveryMailer = accountRecoveryMailer;
this.messageSource = messageSource;
}
@RequestMapping(value = "/users", method = RequestMethod.POST)
public Callable<ResponseEntity<Void>> signup(@RequestParam String email, @RequestParam String password) {
return () -> {
//do something
};
}
}
我想要实现的是保护所有请求的安全,其中只有部分请求是通过自由访问或可能仅通过授权头进行的,以匹配客户端id。如果使用oAuth2设置服务器,则该服务器可以以安全方式访问https:only。 如果需要提供非securehttp:service,则必须创建另一台服务器 让我们考虑一下,如果你家的门有锁,只有钥匙的人才能进入你的家,你的家是安全的。 如果你在家里再加一扇没有锁的门,你的家就不安全了 若你们想让门不带锁,你们应该把那个扇门安装到其他小屋,以防不安全使用 安全的家和不安全的小屋。
这些可能是您希望在服务器上构建的内容。以下是我的问题的解决方案。这件坏事的根源是豆子的初始化,或者更确切地说是豆子的作用域。顺便说一句,不需要SSL 下面配置错误,请勿盲目复制粘贴 我有两个@ComponentScan类 和我的webapp初始化代码
@Order(2)
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected String[] getServletMappings() {
return new String[]{"/"};
}
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[]{ApplicationConfig.class, DataSourceConfig.class, SecurityConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[]{WebMvcConfig.class};
}
@Override
protected Filter[] getServletFilters() {
CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
characterEncodingFilter.setEncoding("UTF-8");
characterEncodingFilter.setForceEncoding(true);
return new Filter[]{characterEncodingFilter};
}
@Override
protected void customizeRegistration(ServletRegistration.Dynamic registration) {
registration.setInitParameter("defaultHtmlEscape", "true");
registration.setInitParameter("spring.profiles.active", "default");
}
}
如您所见,所有类型bean的整个组件类路径扫描将在getRootConfigClasses方法中初始化,并且由于WebMvcConfig.class及其在组件扫描中排除了某些bean类型,因此只有部分bean将在getServletConfigClasses方法中初始化。我认为这对于Spring来说已经足够了,因为来自rootContext的bean可以用于servletContext。并且是,但仅用于web应用程序实例化。SpringSecurityOAuth2没有看到控制器映射
此问题的解决方案是在WebMvcConfig中取消组件扫描,并将getServletConfigClasses方法更改为:
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[]{ApplicationConfig.class, WebMvcConfig.class};
}
多亏了春豆的快速缓存,一切都会好起来。很抱歉我的回答太晚了。这显然是有道理的,但仍然不起作用。curl-k-X柱https://localhost:8443/api/users -标题内容类型:应用程序/json HTTP错误404访问/api/users时出现问题。原因:由码头供电://
@Order(2)
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected String[] getServletMappings() {
return new String[]{"/"};
}
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[]{ApplicationConfig.class, DataSourceConfig.class, SecurityConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[]{WebMvcConfig.class};
}
@Override
protected Filter[] getServletFilters() {
CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
characterEncodingFilter.setEncoding("UTF-8");
characterEncodingFilter.setForceEncoding(true);
return new Filter[]{characterEncodingFilter};
}
@Override
protected void customizeRegistration(ServletRegistration.Dynamic registration) {
registration.setInitParameter("defaultHtmlEscape", "true");
registration.setInitParameter("spring.profiles.active", "default");
}
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[]{ApplicationConfig.class, WebMvcConfig.class};
}