在我的Spring启动项目中,我有一些需要身份验证的端点,而另一些则不需要。我正在使用spring-security-oauth2-autoconfigure
依赖项。问题是,当我想使用无效的access_token访问不需要身份验证的资源时,出现错误"error": "invalid_token"
。如果我的方法不安全,如何防止检查访问令牌?
ResourceServerConfiguration.java
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().disable().and().authorizeRequests().antMatchers("/graphql/**")
.permitAll();
}
}
WebSecurityConfiguration.java
@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll()
.anyRequest().authenticated().and().httpBasic().and().csrf().disable();
}
}
要为特定资源禁用spring安全链,您可以为WebSecurityConfiguration类中的模式添加忽略Web请求,如下所示:>
@Override
public void configure(WebSecurity webSecurity) throws Exception
{
webSecurity
.ignoring()
.antMatchers("/resourcename**");
}