由于授权而无法访问API

时间:2018-06-19 18:30:03

标签: java spring-security jhipster

我创建了自己的api,以便在请求时向UI提供数据。但是我正在使用JHipster,它实现了Spring Security来验证api请求。当我登录到应用程序并使用url(localhost:9090 / api / lesson)直接访问api时,它为我的用户角色和管理员角色提供了401。

{
  "type" : "https://www.jhipster.tech/problem/problem-with-message",
  "title" : "Unauthorized",
  "status" : 401,
  "detail" : "Full authentication is required to access this resource",
  "path" : "/api/lesson",
  "message" : "error.http.401"
}

我检查了安全配置,并且/ api / **路径已设置为Authenticated,这使我感到困惑,为什么登录后无法访问资源。

protected void configure(HttpSecurity http) throws Exception {
    http
        .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
        .exceptionHandling()
        .authenticationEntryPoint(problemSupport)
        .accessDeniedHandler(problemSupport)
    .and()
        .csrf()
        .disable()
        .headers()
        .frameOptions()
        .disable()
    .and()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    .and()
        .authorizeRequests()
        .antMatchers("api/lesson").permitAll()
        .antMatchers("/api/register").permitAll()
        .antMatchers("/api/activate").permitAll()
        .antMatchers("/api/authenticate").permitAll()
        .antMatchers("/api/account/reset-password/init").permitAll()
        .antMatchers("/api/account/reset-password/finish").permitAll()
        .antMatchers("/api/profile-info").permitAll()
        .antMatchers("/api/**").authenticated()
        .antMatchers("/management/health").permitAll()
        .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
        .antMatchers("/v2/api-docs/**").permitAll()
        .antMatchers("/swagger-resources/configuration/ui").permitAll()
        .antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN)
    .and()
        .apply(securityConfigurerAdapter());

}

尽管我的API并非像JHipsters那样创建,例如使用CrudRepository而不是JPA,但我认为这不会成为问题。但是,我可能错了。

@RequestMapping("api/lesson")
@RestController
public class LessonAPI {

    private final LessonService service;

    public LessonAPI(@Autowired LessonService service){
        this.service = service;
    }

    @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
    public List<Lesson> getAllLessons() {
        return service.getAllLessons();
    }

}

1 个答案:

答案 0 :(得分:1)

为什么不像下面这样使用

http
                .cors()
                .and()
                .csrf()
                .disable()
                .exceptionHandling()
                .authenticationEntryPoint(unauthorizedHandler)
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers("/")
                .permitAll()
                .antMatchers("/api/auth/**","/api/user/exist")
                .permitAll()
                .antMatchers("/api/user/checkUsernameAvailability", "/api/user/checkEmailAvailability")
                .permitAll()
                .antMatchers(HttpMethod.GET, "/api/polls/**", "/api/users/**", "/api/gift/**")
                .permitAll()
                .anyRequest()
                .authenticated();
相关问题
最新问题