Question

我需要通过身份验证才能获得公共资源。

这种结构对我有用，即使我通过身份验证也只能获得我的公共资源。例如，当我尝试通过身份验证后即时发布请求时，我被禁止使用403。

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .cors()
            .and()
            .authorizeRequests()
            .antMatchers("/public/**").permitAll()
            .antMatchers("/private/**").authenticated()
            .antMatchers("/private-scoped").hasAuthority("read:posts");
}

使用此配置，我需要通过身份验证才能访问所有这些资源，甚至公共资源。经过身份验证后，一切正常。

  @Override
protected void configure(HttpSecurity http) throws Exception {
    JwtWebSecurityConfigurer
            .forRS256(audience, issuer)
            .configure(http)
            .cors()
            .and()
            .authorizeRequests()
            .antMatchers("/public/**").permitAll()
            .antMatchers("/private/**").authenticated()
            .antMatchers("/private-scoped").hasAuthority("read:posts");
}

有没有可能将这两种配置组合在一起？

我正在从前端发送jwt令牌。

这是我的配置文件：

import com.auth0.spring.security.api.JwtWebSecurityConfigurer;
import java.util.Arrays;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

/**
 *
 * @author Kamil
 */
@Configuration
@EnableWebSecurity
public class AuthConfig extends WebSecurityConfigurerAdapter {

    @Value(value = "${auth0.apiAudience}")
    private String audience;
    @Value(value = "${auth0.issuer}")
    private String issuer;
    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.applyPermitDefaultValues();
        configuration.setAllowedMethods(Arrays.asList("*"));
        configuration.setAllowedOrigins(Arrays.asList("*"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        JwtWebSecurityConfigurer
                .forRS256(audience, issuer)
                .configure(http)
                .cors()
                .and()
                .authorizeRequests()
                .antMatchers("/public/**").permitAll()
                .antMatchers("/private/**").authenticated()
                .antMatchers("/private-scoped").hasAuthority("read:posts");
    }
}

Answer 1

尝试这种方式：

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/public/**").permitAll()
            .antMatchers("/private-scoped").hasAuthority("read:posts")
            .anyRequest().authenticated()
            .and()
            .cors(); 
}

需要进行身份验证才能在春季启动时获得公共资源

1 个答案: