我有一个端点,我想允许访问而无需基本身份验证。下面的端点如下:
@ApiOperation(value = "Get a image by id", response = ResponseEntity.class)
@RequestMapping(value = "/{id}", method = RequestMethod.GET) //sets the mapping url and the HTTP method
public void getById(@PathVariable("id") Long id, HttpServletResponse response) throws NotFoundException {
ImageView view;
try {
view = manager.get(id);
ByteArrayInputStream in = new ByteArrayInputStream(view.getImageData());
response.setContentType(MediaType.parseMediaType(view.getImageMimeType()).toString());
IOUtils.copy(in, response.getOutputStream());
} catch (NotFoundException e) {
response.setStatus(204); //HttpStatus.NO_CONTENT);
return;
} catch (IOException ioe) {
response.setStatus(400);//HttpState.BAD_REQUEST
return;
}
}
我已经在有类似问题的人上阅读了其他几个堆栈溢出帖子,并看到覆盖安全配置有效。以下是我通过阅读几篇文章设计的解决方案。但是,我仍然遇到问题,并在没有auth请求资源时收到401。不是,完整的路线将是" {host} / service / v1 / images / {id}"
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable() //disable csrf being needed for header in a request
.authorizeRequests() //authorize the following request based on following set rules
.antMatchers(HttpMethod.OPTIONS, "**").permitAll() //allow any user to access this when OPTIONS
.antMatchers(HttpMethod.GET,"**/service/v1/images/**").permitAll() //allows GETS for given route permitted to all users
.anyRequest().authenticated() //catch all: this implies that if nothing matches the above two patterns, then require authentication
.and().httpBasic(); //utilize http basic for authentication
}
任何洞察我可能做错的事情以及如何纠正这一点都将不胜感激。
答案 0 :(得分:1)
为了忽略特定网址的安全性,请执行以下操作:
除了你的
@Override
protected void configure(HttpSecurity http) throws Exception { ... }
您还需要覆盖下一个方法:
@Override
public void configure(WebSecurity web) throws Exception { ... }
在该方法上,您可以编写类似这样的内容,以忽略特定URL的安全性:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/css/**", "/js/**",
"/app/controllers/**", "/app/partials/**", "/app/*",
"/", "/index.html", "/favicon.ico");
}
上面的示例将禁用指定的蚂蚁匹配器的安全性。
你可以放弃permitAll()