允许所有不授权匿名访问
Permit all does not authorize anonymous access
我试图让名为“/propostas/buscar/propostas-publicas”的 get 端点接受匿名访问,但 permitAll() 不允许这样做。
这是我的 PUBLIC_MATCHERS_GET,其中包含我要为匿名访问打开的端点:
private static final String[] PUBLIC_MATCHERS_GET = {
"/",
"/editais/**",
"/propostas/buscar/propostas-publicas",
"/swagger-ui.html/**",
"/v2/api-docs/**",
"/webjars/**",
"/swagger-resources/**"
};
覆盖的配置方法(在我的自定义配置中 class 扩展 WebSecurityConfigurerAdapter)具有以下配置方法:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and().csrf().disable()
.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint())
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, ADMIN_MATCHERS_GET).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.PUT, ADMIN_MATCHERS_PUT).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.DELETE, ADMIN_MATCHERS_DELETE).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.POST, ADMIN_MATCHERS_POST).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, PROPONENTE_MATCHERS_GET).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.POST, PROPONENTE_MATCHERS_POST).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.PUT, PROPONENTE_MATCHERS_PUT).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.DELETE, PROPONENTE_MATCHERS_DELETE).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, DISCENTE_MATCHERS_GET).hasAnyAuthority("ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, USUARIO_MATCHERS_GET).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.PUT, USUARIO_MATCHERS_PUT).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.POST, USUARIO_MATCHERS_POST).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, PUBLIC_MATCHERS_GET).permitAll()
.antMatchers(HttpMethod.POST, PUBLIC_MATCHERS_POST).permitAll()
.antMatchers(PUBLIC_MATCHERS).permitAll()
.antMatchers("/oauth2/**", "/oauth2/*", "/oauth/*").permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
// .anyRequest().permitAll()
.and()
.oauth2Login()
.authorizationEndpoint()
.baseUri("/oauth2/authorize")
.authorizationRequestRepository(cookieAuthorizationRequestRepository())
.and()
.redirectionEndpoint()
.baseUri("/login/oauth2/code/*")
.and()
.userInfoEndpoint()
.userService(customOAuth2UserService)
.and()
.successHandler(oAuth2AuthenticationSuccessHandler)
.failureHandler(oAuth2AuthenticationFailureHandler);
http.addFilter(new JWTAuthenticationFilter(authenticationManager(), jwtUtil));
http.addFilter(new JWTAuthorizationFilter(authenticationManager(), jwtUtil, userDetailsService));
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.logout()
.logoutSuccessUrl("/")
.clearAuthentication(true)
.permitAll();
// Line to use H2 web console
http.headers().frameOptions().sameOrigin();
}
在Spring 安全秩序很重要。第一场比赛是被使用的比赛。向上移动你的对手。这是我在项目中使用的示例:
http
.httpBasic().disable()
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.mvcMatchers(AUTHENTICATION_ENDPOINTS).permitAll()
.mvcMatchers(ADMIN_ENDPOINTS).hasRole(ADMIN)
.anyRequest().authenticated();
我试图让名为“/propostas/buscar/propostas-publicas”的 get 端点接受匿名访问,但 permitAll() 不允许这样做。
这是我的 PUBLIC_MATCHERS_GET,其中包含我要为匿名访问打开的端点:
private static final String[] PUBLIC_MATCHERS_GET = {
"/",
"/editais/**",
"/propostas/buscar/propostas-publicas",
"/swagger-ui.html/**",
"/v2/api-docs/**",
"/webjars/**",
"/swagger-resources/**"
};
覆盖的配置方法(在我的自定义配置中 class 扩展 WebSecurityConfigurerAdapter)具有以下配置方法:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and().csrf().disable()
.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint())
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, ADMIN_MATCHERS_GET).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.PUT, ADMIN_MATCHERS_PUT).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.DELETE, ADMIN_MATCHERS_DELETE).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.POST, ADMIN_MATCHERS_POST).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, PROPONENTE_MATCHERS_GET).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.POST, PROPONENTE_MATCHERS_POST).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.PUT, PROPONENTE_MATCHERS_PUT).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.DELETE, PROPONENTE_MATCHERS_DELETE).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, DISCENTE_MATCHERS_GET).hasAnyAuthority("ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, USUARIO_MATCHERS_GET).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.PUT, USUARIO_MATCHERS_PUT).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.POST, USUARIO_MATCHERS_POST).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, PUBLIC_MATCHERS_GET).permitAll()
.antMatchers(HttpMethod.POST, PUBLIC_MATCHERS_POST).permitAll()
.antMatchers(PUBLIC_MATCHERS).permitAll()
.antMatchers("/oauth2/**", "/oauth2/*", "/oauth/*").permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
// .anyRequest().permitAll()
.and()
.oauth2Login()
.authorizationEndpoint()
.baseUri("/oauth2/authorize")
.authorizationRequestRepository(cookieAuthorizationRequestRepository())
.and()
.redirectionEndpoint()
.baseUri("/login/oauth2/code/*")
.and()
.userInfoEndpoint()
.userService(customOAuth2UserService)
.and()
.successHandler(oAuth2AuthenticationSuccessHandler)
.failureHandler(oAuth2AuthenticationFailureHandler);
http.addFilter(new JWTAuthenticationFilter(authenticationManager(), jwtUtil));
http.addFilter(new JWTAuthorizationFilter(authenticationManager(), jwtUtil, userDetailsService));
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.logout()
.logoutSuccessUrl("/")
.clearAuthentication(true)
.permitAll();
// Line to use H2 web console
http.headers().frameOptions().sameOrigin();
}
在Spring 安全秩序很重要。第一场比赛是被使用的比赛。向上移动你的对手。这是我在项目中使用的示例:
http
.httpBasic().disable()
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.mvcMatchers(AUTHENTICATION_ENDPOINTS).permitAll()
.mvcMatchers(ADMIN_ENDPOINTS).hasRole(ADMIN)
.anyRequest().authenticated();