这是我的第一时间,当我决定编写具有完整Java代码配置的基于Spring Boot和Spring Security的应用程序时,我遇到了无法克服的怪异问题。我正在尝试使用Postman测试API,并且只有当我将content-type用作 application / x-www-form-urlencoded 时,我的请求才会被接受。下面,我粘贴所有当前配置。
@SpringBootApplication
public class OpenIdApplication {
public static void main(String[] args) {
SpringApplication.run(OpenIdApplication.class, args);
}
}
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private UserService userService;
@Autowired
public SecurityConfig(UserService userService) {
this.userService = userService;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(11);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/register/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.cors()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
}
@RestController
public class UserController {
...
@PostMapping(value = "/register")
public ResponseEntity<Object> registerUser(
@RequestBody UserRegistrationDto newUser, BindingResult bindingResult) {
...
}
@Data
@Builder
@NoArgsConstructor
@AllArgsConstructor
public class UserRegistrationDto {
private String username;
private String firstName;
private String lastName;
private String email;
private String password;
private String passwordRepeat;
}
如果要登录,我只能使用提到的内容类型来执行此操作。对于 application / json ,我得到403响应状态。对于 / registration 端点,如果我从方法参数中删除@RequestBody,则它可以与 application / x-www-form-urlencoded 请求一起正常工作,但是如果我保留它,则对于这种内容类型我得到415,但是如果我尝试使用 application / json ,那么我看到的是403。我还尝试了在此端点上方添加@PreAutorize(“ permitAll()”)批注,添加将httpBasic()设置为Spring Security配置-导致响应状态从403更改为401。
我尝试向该端点发送2种不同的JSON:
{
"username":"test",
"firstName":"Test",
"lastName":"Test",
"email":"test@test.com",
"password":"test",
"passwordRepeat":"test",
"_csrf":"8b7d4680-5be4-482a-9138-b4eb92a358c1"
}
{
"newUser": {
"username":"test",
"firstName":"Test",
"lastName":"Test",
"email":"test@test.com",
"password":"test",
"passwordRepeat":"test"
},
"_csrf":"8b7d4680-5be4-482a-9138-b4eb92a358c1"
}
当然,每次我都确保 _csrf 与我的API返回的匹配。
我正在使用Spring Boot 2.0.1.RELEASE和Spring Security 5.0.3.RELEASE。
答案 0 :(得分:1)
我非常确定,当您发布到"/register/**"
时,Ant模式/register/
会匹配以/register
(See examples here)开头的所有URL(结束)。您应该尝试
.antMatchers("/register*").permitAll()
或
.mvcMatchers(HttpMethod.POST, "/register").permitAll()
第一个与任何以/register
开头的URL匹配,第二个与您的@PostMapping
完全匹配。