Spring Security HTTP 403禁止

时间:2018-11-18 12:08:21

标签: spring rest jersey spring-security-rest

我一直在尝试保护rest-api资源。但是,似乎/auth/** REST-API始终抛出403 Forbidden,即使我在配置上允许它也是如此。见下文

@Override
protected void configure(HttpSecurity http) throws Exception {
    logger.info("Setting Endpoint Security.");

    http
        .authorizeRequests()
        .antMatchers("/auth/**").permitAll()
        .anyRequest().authenticated()
        .and()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .csrf().disable();

}

这在扩展WebSecurityConfig的{​​{1}}类上

这是spring安全调试日志

WebSecurityConfigurerAdapter

这是我尝试访问的资源

2018-11-18 20:14:27.923  INFO 8476 --- [nio-8080-exec-1] Spring Security Debugger                 : 

************************************************************

Request received for POST '/api/v1/auth/login':

org.apache.catalina.connector.RequestFacade@1a183946

servletPath:/api/v1
pathInfo:/auth/login
headers: 
content-type: application/x-www-form-urlencoded
cache-control: no-cache
postman-token: 5bd56859-b8e9-4ebf-977c-452f1bce837e
user-agent: PostmanRuntime/7.4.0
accept: */*
host: localhost:8080
cookie: JSESSIONID=D80F964AA5B53DC7F20ACF59606FA719
accept-encoding: gzip, deflate
content-length: 29
connection: keep-alive


Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]


************************************************************

我们很清楚,我正在使用Jersey + Spring Boot

这是Jersey配置

@Path("/auth")
@Component
public class Auth {

    private static final Logger logger = LoggerFactory.getLogger(Auth.class);

    @POST
    @Path("/login")
    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    public Response login(@FormParam("username") String user, 
                          @FormParam("password") String pass) {
        logger.info("Form-data [username] {}",user);
        logger.info("Form-data [password] {}",pass);
        return Response.ok().build();
    }

    @POST
    @Path("/logout")
    @Produces({ MediaType.APPLICATION_JSON })
    public String logout() {
        return "Login!";
    } 

}

现在,正如我在@Configuration @ApplicationPath("api/v1") public class JerseyConfig extends ResourceConfig{ public JerseyConfig() { } @PostConstruct public void setUp() { register(Wish.class); register(Auth.class); register(User.class); register(GenericExceptionMapper.class); } } 方法中的http方法系列中所了解的那样。

首先,http自动请求,匹配configure并允许它,其他请求需要得到授权。但是,当我尝试请求/auth/**时,它总是返回http://localhost:8080/api/v1/auth/login

有人可以指出错误,或者我的理解不正确。

1 个答案:

答案 0 :(得分:2)

您的配置仅允许http://localhost:8080/auth/ **不允许http://localhost:8080/api/v1/auth/ **,

因此将其更改为:

.antMatchers("/api/v1/auth/**").permitAll()

它应该是顺序中的第一个

相关问题
最新问题