spring-security returns 401 despite authorizeRequests().anyRequest().permitAll()(尽管 authorizeRequests().anyRequest().permitAll() spring-security 返回 401)
问题描述
我正在使用 spring-security 和 spring-security-oauth2(JWT 访问令牌)进行身份验证和授权.这个想法是让所有请求通过,但能够区分经过身份验证的用户和未经身份验证的用户.一旦我启用 @EnableResourceServer 我配置的 HttpSecurity 似乎被忽略.并且请求返回 401:
I'm using spring-security and spring-security-oauth2 (JWT access tokens) for authentication and authorization. The idea is to let all requests through, but to be able to distinguish between authenticated users and unauthenticated users. As soon as I enable @EnableResourceServer my configured HttpSecurity seems to get ignored. And requests return 401:
{
"error": "unauthorized",
"error_description": "Full authentication is required to access this resource"
}
这是配置:
@SpringBootApplication
@EnableJpaRepositories
@ComponentScan
@EntityScan
@EnableWebSecurity
public class Application {
public static void main(final String[] args) {
new SpringApplicationBuilder(Application.class).bannerMode(Banner.Mode.OFF).run(args);
}
@EnableResourceServer
public static class SecurityConfig extends WebSecurityConfigurerAdapter implements JwtAccessTokenConverterConfigurer {
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().anyRequest().permitAll();
}
@Override
public void configure(final JwtAccessTokenConverter converter) {
final DefaultAccessTokenConverter conv = new DefaultAccessTokenConverter();
conv.setUserTokenConverter(userAuthenticationConverter());
converter.setAccessTokenConverter(conv);
}
@Bean
public UserAuthenticationConverter userAuthenticationConverter() {
return new ResourceAuthenticationConverter();
}
}
推荐答案
你快到了.这是一个简单的修复 - @EnableResourceServer 的 javadoc 提供了答案:
You're almost there. It's an easy fix - the javadoc of @EnableResourceServer provides the answer:
用户应该添加这个注解并提供一个@Bean 类型ResourceServerConfigurer(例如,通过 ResourceServerConfigurerAdapter)指定资源的详细信息(URL 路径和资源id).
Users should add this annotation and provide a @Bean of type ResourceServerConfigurer (e.g. via ResourceServerConfigurerAdapter) that specifies the details of the resource (URL paths and resource id).
但是,您使用的是 WebSecurityConfigurerAdapter.只需将其改为ResourceServerConfigurerAdapter,增强configure的可见性:
You're using a WebSecurityConfigurerAdapter however. Just change it to ResourceServerConfigurerAdapter and enhance the visibility of configure:
@EnableResourceServer
public static class SecurityConfig extends ResourceServerConfigurerAdapter implements JwtAccessTokenConverterConfigurer {
// snip
@Override
public void configure(final HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().anyRequest().permitAll();
}
// snip
这篇关于尽管 authorizeRequests().anyRequest().permitAll() spring-security 返回 401的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
本文标题为:尽管 authorizeRequests().anyRequest().permitAll() spring-se
基础教程推荐
- Spring AOP错误无法懒惰地为此建议构建thisJoinPoin 2022-09-13
- 问题http://apache.org/xml/features/xinclude测试日志4j 2 2022-01-01
- 使用堆栈算法进行括号/括号匹配 2022-01-01
- 如何对 Java Hashmap 中的值求和 2022-01-01
- Struts2 URL 无法访问 2022-01-01
- RabbitMQ:消息保持“未确认"; 2022-01-01
- 存储 20 位数字的数据类型 2022-01-01
- 修改 void 函数的输入参数,然后读取 2022-01-01
- REST Web 服务返回 415 - 不支持的媒体类型 2022-01-01
- 无法复制:“比较方法违反了它的一般约定!" 2022-01-01
