Spring oauth2 授权与其余控制器一起服务,然后保护端点

问题描述 投票:0回答:1

这是其余控制器的端点

/info/**
当我允许其所有工作但当我保护它然后添加令牌时它不会工作。

@Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {

        OAuth2AuthorizationServerConfigurer authorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer();

        authorizationServerConfigurer.tokenIntrospectionEndpoint(a ->
                a.authenticationProvider(new CustomOAuth2TokenIntrospectionAuthenticationProvider(authorizationService())));
        httpSecurity.apply(authorizationServerConfigurer);


        httpSecurity
                .authorizeHttpRequests(requests -> requests
                        .requestMatchers(new AntPathRequestMatcher("/info/**")).authenticated()
                        .anyRequest().permitAll())
                .cors(AbstractHttpConfigurer::disable)
                .httpBasic(withDefaults())
                .formLogin(withDefaults())
                .addFilterBefore(logRequestResponseFilter, UsernamePasswordAuthenticationFilter.class)
                .csrf(AbstractHttpConfigurer::disable)
                ;
        return httpSecurity.build();
    }

日志

2024-05-09T00:00:26.883+08:00 DEBUG 14264 --- [               ] o.s.web.servlet.DispatcherServlet        : Completed 401 UNAUTHORIZED
2024-05-09T00:00:26.890+08:00 DEBUG 14264 --- [               ] o.s.security.web.FilterChainProxy        : Securing GET /error?userId=5532f935-ca36-4768-87fa-b65fe8741bbf
2024-05-09T00:00:26.893+08:00 DEBUG 14264 --- [               ] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2024-05-09T00:00:26.894+08:00 DEBUG 14264 --- [               ] o.s.security.web.FilterChainProxy        : Secured GET /error?userId=5532f935-ca36-4768-87fa-b65fe8741bbf
2024-05-09T00:00:26.895+08:00 DEBUG 14264 --- [               ] o.s.web.servlet.DispatcherServlet        : "ERROR" dispatch for GET "/error?userId=5532f935-ca36-4768-87fa-b65fe8741bbf", parameters={masked}
2024-05-09T00:00:26.895+08:00 DEBUG 14264 --- [               ] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2024-05-09T00:00:26.904+08:00 DEBUG 14264 --- [               ] o.s.w.s.m.m.a.HttpEntityMethodProcessor  : Using 'application/json', given [*/*] and supported [application/json, application/*+json]
2024-05-09T00:00:26.904+08:00 DEBUG 14264 --- [               ] o.s.w.s.m.m.a.HttpEntityMethodProcessor  : Writing [{timestamp=Thu May 09 00:00:26 SGT 2024, status=401, error=Unauthorized, path=/info/}]
2024-05-09T00:00:26.910+08:00 DEBUG 14264 --- [               ] o.s.web.servlet.DispatcherServlet        : Exiting from "ERROR" dispatch, status 401
2024-05-09T00:00:26.911+08:00 DEBUG 14264 --- [               ] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-05-09T00:00:26.911+08:00  INFO 14264 --- [               ] c.e.O.filter.LogRequestResponseFilter    : LoggingFilterRequestResponse: Servlet Path: /error Request parameter [Key: userId, Value: 5532f935-ca36-4768-87fa-b65fe8741bbf]  Response status code: 401 Response Body: {"timestamp":"2024-05-08T16:00:26.902+00:00","status":401,"error":"Unauthorized","path":"/info/"}
java spring spring-boot spring-security-oauth2
1个回答
0
投票

您的安全过滤器链配置为使用会话 (

formLogin
) 授权请求,而不是使用访问令牌。

您需要另一个安全过滤器链 bean(带有 

@Order
securityMatcher
oauth2ResourceServer
)来使用 Bearer 令牌授权对某些端点的请求。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.