奇怪的弹簧安全行为。
我想让所有用户都可以访问一些剩余端点。但是当我使用post方法时,我从服务器返回了403禁止访问。当我使用get方法时,它会起作用。
不起作用
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().disable()
.httpBasic().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/api/v1/auth").permitAll()
.anyRequest().authenticated();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
var encoder = new BCryptPasswordEncoder();
auth.inMemoryAuthentication().passwordEncoder(encoder)
.withUser("Mike").password(encoder.encode("123")).roles("USER");
}
}
@RestController
@RequestMapping(value = "/api/v1")
class AuthRestController {
@PostMapping(value = "/auth")
public ResponseEntity<User> auth(@RequestBody User user) {
return ResponseEntity.ok(user);
}
}
@Data
class User {
private String name;
}
答案 0 :(得分:0)
好像您需要禁用CSRF保护。试试这个:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
...
}