我需要通过身份验证才能获得公共资源。
这种结构对我有用,即使我通过身份验证也只能获得我的公共资源。 例如,当我尝试通过身份验证后即时发布请求时,我被禁止使用403。
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.antMatchers("/private/**").authenticated()
.antMatchers("/private-scoped").hasAuthority("read:posts");
}
使用此配置,我需要通过身份验证才能访问所有这些资源,甚至公共资源。经过身份验证后,一切正常。
@Override
protected void configure(HttpSecurity http) throws Exception {
JwtWebSecurityConfigurer
.forRS256(audience, issuer)
.configure(http)
.cors()
.and()
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.antMatchers("/private/**").authenticated()
.antMatchers("/private-scoped").hasAuthority("read:posts");
}
有没有可能将这两种配置组合在一起?
我正在从前端发送jwt令牌。
这是我的配置文件:
import com.auth0.spring.security.api.JwtWebSecurityConfigurer;
import java.util.Arrays;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
/**
*
* @author Kamil
*/
@Configuration
@EnableWebSecurity
public class AuthConfig extends WebSecurityConfigurerAdapter {
@Value(value = "${auth0.apiAudience}")
private String audience;
@Value(value = "${auth0.issuer}")
private String issuer;
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.applyPermitDefaultValues();
configuration.setAllowedMethods(Arrays.asList("*"));
configuration.setAllowedOrigins(Arrays.asList("*"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
JwtWebSecurityConfigurer
.forRS256(audience, issuer)
.configure(http)
.cors()
.and()
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.antMatchers("/private/**").authenticated()
.antMatchers("/private-scoped").hasAuthority("read:posts");
}
}
答案 0 :(得分:0)
尝试这种方式:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/public/**").permitAll()
.antMatchers("/private-scoped").hasAuthority("read:posts")
.anyRequest().authenticated()
.and()
.cors();
}