如何为具有弹簧安全性的匿名用户授权端点

时间:2019-05-28 19:58:47

标签: spring-boot soap spring-security

我正在使用具有基本身份验证的Spring Boot和Spring Security开发SOAP Web服务。身份验证有效,但是我想授权匿名用户在许多端点进行访问。我不知道该怎么办。 我认为要创建2个wsdl,一个用于具有身份验证的端点,另一个用于不具有身份验证的端点。可能吗 ? 还可以用@PreAuthorize(permitAll)之类的注释端点或自定义spring安全吗?

什么是正确的方法以及如何做?

谢谢。

我尝试过这个:

    @PayloadRoot(namespace = NAMESPACE_URI, localPart = "createAuthorRequest")
@ResponsePayload
@PreAuthorize("permitAll()")
public CreateAuthorResponse createAuthor(
        @RequestPayload CreateAuthorRequest request
) throws WSException {
    return authorService.createAuthor(request);
}

或自定义spring安全性:

           public void configure(HttpSecurity httpSecurity) throws Exception {

    httpSecurity
    .httpBasic()
            .and()
         .authorizeRequests().antMatchers(HttpMethod.POST, "/ws/createAuthor", "/ws/createAuthorRequest", "/ws/createAuthor**").permitAll()
            .antMatchers(HttpMethod.GET, "/ws/createAuthor", "/ws/createAuthorRequest", "/ws/createAuthor**").permitAll()
            .antMatchers(HttpMethod.PUT, "/ws/createAuthor", "/ws/createAuthorRequest", "/ws/createAuthor**").permitAll()
            .anyRequest().authenticated()

            .and()
            .csrf().disable().headers().frameOptions().disable();

但是它没有改变。使用SOAP,我不知道如何获取被调用的端点的名称。这里是spring安全日志:


    2019-05-29 22:49:39.060  INFO 8228 --- [io-8080-exec-10] Spring Security Debugger                 : 

************************************************************

Request received for POST '/ws':

org.apache.catalina.connector.RequestFacade@7445a104

servletPath:/ws
pathInfo:null
headers: 
accept-encoding: gzip,deflate
content-type: text/xml;charset=UTF-8
soapaction: ""
content-length: 516
host: localhost:8080
connection: Keep-Alive
user-agent: Apache-HttpClient/4.1.1 (java 1.5)

1 个答案:

答案 0 :(得分:-1)

  

是否可以用类似以下内容注释端点   @PreAuthorize(permitAll)

如果您在控制器中使用@PreAuthorize,则只需添加@PreAuthorize("permitAll()")


  

还是自定义spring安全性?

在自定义安全配置中,在antMatchers中添加要公开使用或未经授权的所有端点,然后将其设置为permitAll

示例:

@Configuration
@EnableWebSecurity
public class SecSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                // permit all access to these endpoints.
                .antMatchers("/endpoint1", "/endpoint2", "endpoint3/**").permitAll()
                // any other request needs to be authenticated
                .anyRequest().authenticated();
        }
}

您还可以通过将方法作为参数添加到列表端点之前,来指定要允许的httpmethod

.antMatchers(HttpMethod.GET, "/endpoint1", "/endpoint2", "endpoint3/**").permitAll()
.antMatchers(HttpMethod.PUT, "/endpoint1", "endpoint3/**").permitAll()
.antMatchers(HttpMethod.POST, "endpoint3/**").permitAll()