我正在尝试使用Spring Boot Security OAuth2。我想公开一些途径;也就是说,不需要身份验证。但是,我收到以下错误:
{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}
PublicController
@RequestMapping("/public")
public class PublicController {
@RequestMapping(method= RequestMethod.GET)
public String test() {
return "Hello World!";
}
}
现在,通常这会是一件好事(因为安全性是目标),但是,我明确告诉应用程序在该路径上允许所有()。
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.password.PasswordEncoder;
import com.midamcorp.resource_server.service.OAuthUserDetailsService;
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private OAuthUserDetailsService userService;
@Autowired
private PasswordEncoder passwordEncoder;
@Bean
@Override
protected AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
// Hash password
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService)
.passwordEncoder(passwordEncoder);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers("/public/**")
.permitAll()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.httpBasic()
.realmName("test")
.and()
.csrf()
.disable();
}
}
我尝试了各种组合,包括使用antMatches(/ **)并删除and()之后的部分。但是,我仍然收到同样的错误。
感谢。
编辑:
ResourceServerConfig
@EnableResourceServer
@Configuration
public class ResourceServerConifig extends ResourceServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
private final AppConfig appConfig;
private AuthenticationManager authenticationManager;
@Autowired
public ResourceServerConifig(AuthenticationManager authenticationManager, AppConfig appConfig) {
this.authenticationManager = authenticationManager;
this.appConfig = appConfig;
}
@Bean
@Primary //Making this primary to avoid any accidental duplication with another token service instance of the same name
ResourceServerTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore);
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenServices(tokenServices());
}
}
ApplicationConfig
@Configuration
@EnableResourceServer
public class AppConfig {
@Bean
public TokenStore tokenStore() {
// return new JwtTokenStore(accessTokenConverter());
return new JwtTokenStore((jwtTokenEnhancer()));
}
@Bean
protected JwtAccessTokenConverter jwtTokenEnhancer() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
Resource resource = new ClassPathResource("public.cert");
String publicKey = null;
try {
publicKey = new String(FileCopyUtils.copyToByteArray(resource.getInputStream()));
} catch (IOException e) {
throw new RuntimeException(e);
}
converter.setVerifierKey(publicKey);
return converter;
}
}
答案 0 :(得分:-1)
在你的application.yml中你可以添加:
security:
ignored: /public,/public/**