我具有以下websecurityconfig,并希望允许任何人访问登录页面,但是当我尝试登录时,它将引发未授权的异常。当我尝试发送/ user / create请求时,它可以很好地工作。
http.httpBasic().disable()
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/actuator/**").hasAuthority(Role.ADMIN.toString())
.antMatchers("/").permitAll()
.antMatchers(HttpMethod.DELETE,"/user/remove").hasAnyAuthority(Role.ADMIN.toString(), Role.USER.toString())
.antMatchers(HttpMethod.PUT, "/user/create").permitAll()
.antMatchers(HttpMethod.POST, "**/login", "login", "/login").permitAll() // trying combinations of login path
.antMatchers("/admin/**").hasAuthority(Role.ADMIN.toString())
.and()
.apply(new JwtConfig(jwtTokenProvider));
这里是登录控制器。我将调试器放在返回行中,此时执行不发生事件。安全引发异常。
@RestController
@RequestMapping // I also tried @RequestMapping({"","/"})
public class PublicController {
@Autowired
AuthenticationService authenticationService;
@PostMapping(value = "login", consumes = "application/json")
public GenericResponse login(@RequestBody UserLoginDTO userLoginDTO) {
return authenticationService.login(userLoginDTO); // never reached this line
}
}
我该如何处理?
而不是仅在HTTP POST上使用复杂的antMatcher,为什么不这样做:
.antMatchers("/login*").permitAll()
您还需要能够通过GET访问登录页面,并且该简单映射将适用于您的所有登录情况。
如果使用以下配置选项,Spring Security将自动处理登录:
http
...
.and()
.formLogin()
.loginPage("/login") // the page Spring should redirect to
.loginProcessingUrl("/login/do") // this will process a POST request with `application/form-url-encoded` parameters
.permitAll()