我正在使用具有基本身份验证的Spring Boot和Spring Security开发SOAP Web服务。身份验证有效,但是我想授权匿名用户在许多端点进行访问。我不知道该怎么办。 我认为要创建2个wsdl,一个用于具有身份验证的端点,另一个用于不具有身份验证的端点。可能吗 ? 还可以用@PreAuthorize(permitAll)之类的注释端点或自定义spring安全吗?
什么是正确的方法以及如何做?
谢谢。
我尝试过这个:
@PayloadRoot(namespace = NAMESPACE_URI, localPart = "createAuthorRequest")
@ResponsePayload
@PreAuthorize("permitAll()")
public CreateAuthorResponse createAuthor(
@RequestPayload CreateAuthorRequest request
) throws WSException {
return authorService.createAuthor(request);
}
或自定义spring安全性:
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.httpBasic()
.and()
.authorizeRequests().antMatchers(HttpMethod.POST, "/ws/createAuthor", "/ws/createAuthorRequest", "/ws/createAuthor**").permitAll()
.antMatchers(HttpMethod.GET, "/ws/createAuthor", "/ws/createAuthorRequest", "/ws/createAuthor**").permitAll()
.antMatchers(HttpMethod.PUT, "/ws/createAuthor", "/ws/createAuthorRequest", "/ws/createAuthor**").permitAll()
.anyRequest().authenticated()
.and()
.csrf().disable().headers().frameOptions().disable();
但是它没有改变。使用SOAP,我不知道如何获取被调用的端点的名称。这里是spring安全日志:
2019-05-29 22:49:39.060 INFO 8228 --- [io-8080-exec-10] Spring Security Debugger :
************************************************************
Request received for POST '/ws':
org.apache.catalina.connector.RequestFacade@7445a104
servletPath:/ws
pathInfo:null
headers:
accept-encoding: gzip,deflate
content-type: text/xml;charset=UTF-8
soapaction: ""
content-length: 516
host: localhost:8080
connection: Keep-Alive
user-agent: Apache-HttpClient/4.1.1 (java 1.5)
答案 0 :(得分:-1)
是否可以用类似以下内容注释端点 @PreAuthorize(permitAll)
如果您在控制器中使用@PreAuthorize
,则只需添加@PreAuthorize("permitAll()")
。
还是自定义spring安全性?
在自定义安全配置中,在antMatchers
中添加要公开使用或未经授权的所有端点,然后将其设置为permitAll
。
示例:
@Configuration
@EnableWebSecurity
public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// permit all access to these endpoints.
.antMatchers("/endpoint1", "/endpoint2", "endpoint3/**").permitAll()
// any other request needs to be authenticated
.anyRequest().authenticated();
}
}
您还可以通过将方法作为参数添加到列表端点之前,来指定要允许的httpmethod
。
.antMatchers(HttpMethod.GET, "/endpoint1", "/endpoint2", "endpoint3/**").permitAll()
.antMatchers(HttpMethod.PUT, "/endpoint1", "endpoint3/**").permitAll()
.antMatchers(HttpMethod.POST, "endpoint3/**").permitAll()