尽管有authorizeRequests().anyRequest().permitAll(),spring-security返回401 [英] spring-security returns 401 despite authorizeRequests().anyRequest().permitAll()
问题描述
我正在使用spring-security
和spring-security-oauth2
(JWT访问令牌)进行身份验证和授权.这个想法是让所有请求通过,但能够区分经过身份验证的用户和未经身份验证的用户.一旦启用@EnableResourceServer
,我配置的HttpSecurity
似乎就会被忽略.并要求返回401:
I'm using spring-security
and spring-security-oauth2
(JWT access tokens) for authentication and authorization. The idea is to let all requests through, but to be able to distinguish between authenticated users and unauthenticated users. As soon as I enable @EnableResourceServer
my configured HttpSecurity
seems to get ignored. And requests return 401:
{
"error": "unauthorized",
"error_description": "Full authentication is required to access this resource"
}
这是配置:
@SpringBootApplication
@EnableJpaRepositories
@ComponentScan
@EntityScan
@EnableWebSecurity
public class Application {
public static void main(final String[] args) {
new SpringApplicationBuilder(Application.class).bannerMode(Banner.Mode.OFF).run(args);
}
@EnableResourceServer
public static class SecurityConfig extends WebSecurityConfigurerAdapter implements JwtAccessTokenConverterConfigurer {
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().anyRequest().permitAll();
}
@Override
public void configure(final JwtAccessTokenConverter converter) {
final DefaultAccessTokenConverter conv = new DefaultAccessTokenConverter();
conv.setUserTokenConverter(userAuthenticationConverter());
converter.setAccessTokenConverter(conv);
}
@Bean
public UserAuthenticationConverter userAuthenticationConverter() {
return new ResourceAuthenticationConverter();
}
}
推荐答案
您快到了.这很容易解决- @ EnableResourceServer的javadoc 提供了答案:
You're almost there. It's an easy fix - the javadoc of @EnableResourceServer provides the answer:
用户应添加此批注并提供@Bean类型 ResourceServerConfigurer(例如,通过ResourceServerConfigurerAdapter) 指定资源的详细信息(URL路径和资源 id).
Users should add this annotation and provide a @Bean of type ResourceServerConfigurer (e.g. via ResourceServerConfigurerAdapter) that specifies the details of the resource (URL paths and resource id).
但是,您正在使用WebSecurityConfigurerAdapter
.只需将其更改为ResourceServerConfigurerAdapter
并增强configure
的可见性即可:
You're using a WebSecurityConfigurerAdapter
however. Just change it to ResourceServerConfigurerAdapter
and enhance the visibility of configure
:
@EnableResourceServer
public static class SecurityConfig extends ResourceServerConfigurerAdapter implements JwtAccessTokenConverterConfigurer {
// snip
@Override
public void configure(final HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().anyRequest().permitAll();
}
// snip
这篇关于尽管有authorizeRequests().anyRequest().permitAll(),spring-security返回401的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!