我有一个可以与oauth2(作为资源服务器)正常工作的spring boot应用程序。没有自定义configure(HttpSecurity http)方法。只有
spring-boot-starter-security
spring-security-oauth2
spring-security-jwt
被添加到pom。
现在我想添加应该不受保护的端点。所以(在许多SO回复之后)我开始添加:
@Configuration
public class Security extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
}
}
然后我得到了:
无法将org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer@6513fd22应用于已构建的对象
完整错误:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalStateException: Cannot apply org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer@6513fd22 to already built object
那么我应该如何配置我的安全性来为匿名访问添加端点?
答案 0 :(得分:1)
错误来自configure()方法中的空体。
您必须明确指定它。例如(来自我们的工作申请):
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/unprotected/sample/find/**").permitAll()
.antMatchers("/unprotected/another/register").permitAll()
.anyRequest().authenticated().and()
.csrf().disable();
}
匹配/unprotected/sample/find/**和/unprotected/sample/find/**的端点不受保护,其他所有内容都受到保护。
当然,受保护的端点不应该定义任何@PreAuthorize()。