我想提出我的API公开的一些网址。但是,一旦我设定一个单一的网址,我所有的API变得擅自暴露。
下面ResourceServerConfiguration类的我配置方法:
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/books","/api/plainOffers","/api/offers","/api/public/*").permitAll();
}
ResourceServer配置:
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/api/books").permitAll();
http.authorizeRequests().antMatchers("/api/plainOffers").permitAll();
http.authorizeRequests().antMatchers("/api/offers").permitAll();
http.authorizeRequests().antMatchers("/api/public/*").permitAll();
//http.authorizeRequests().anyRequest().authenticated().and().httpBasic();
}
}
授权服务器:
@CrossOrigin
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig
extends AuthorizationServerConfigurerAdapter{
@Autowired
@Qualifier("userDetailsService")
private UserDetailsService userDetailsService;
@Autowired
private AuthenticationManager authenticationManager;
@Value("${api.oauth.tokenTimeout:3600}")
private int expiration;
@Override
public void configure(AuthorizationServerEndpointsConfigurer configurer) throws Exception {
configurer.authenticationManager(authenticationManager);
configurer.userDetailsService(userDetailsService);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("api")
.secret("secret")
.accessTokenValiditySeconds(expiration)
.scopes("read", "write")
.authorizedGrantTypes("password", "refresh_token")
.resourceIds("oauth2-resource");
}
}
我想你必须添加其他的URL所需要的限制:
http.authorizeRequests().antMatchers("/api/books","/api/plainOffers","/api/offers","/api/public/*").permitAll();
http.authorizeRequests().anyRequest().authenticated().and().httpBasic();
我想指出的是,如果您提供RESOURCE_ID = API然后删除/ API,并添加网址,像这样(“/书籍”,“/ plainOffers”,“/报价”,“/公/ *”)的规则。
然后,它会奏效。