Spring OAuth2配置permitAll()无效解决

Spring Security或者OAuth2中设置某个开头的路径拦截,并且放行某个子路径:

1
2
3
4
5
6
7
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/web/user/**").permitAll()
.antMatchers("/web/**").authenticated()
.anyRequest().permitAll();

实现先对子路径进行放行,然后操作父路径进行拦截,然后再对其他所有的路径放行,这样就可以实现,拦截/web/开头的路径,但是放行/web/user/和其他所有不是web开头的路径。

注意:声明的顺序,必须先声明范围小的,再声明范围大的

如果下述配置无法放行路径/web/member/member-register

1
2
3
4
5
6
7
8
9
10
@Override
public void configure(HttpSecurity http) throws Exception {
//所有请求必须认证通过
http.authorizeRequests()
//下边的路径放行
.antMatchers("/web/member/member-register")
.permitAll()
.anyRequest().authenticated()
.and().csrf().disable();
}

如上资源服务器配置了某个接口进行放行,但是前端请求该接口后依然会拦截认证,主要是因为请求时对每个请求都添加了Authorization头,如果不需要认证,则一定不要添加Authorization请求头,否则Oauth2依然会认证。

如果仍然无效,则同时配置.ignoringAntMatchers("/payment/*").antMatchers("/payment/*").permitAll()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
@Override
protected void configure(HttpSecurity http) throws Exception {

http.addFilterAfter(new BigcommerceOriginFilter(bigcommerceVerficationStrategy, ANY_AUTHORIZATION_REDIRECT_PATH, ANY_INSTALL_PATH), LogoutFilter.class);
http.addFilterAfter(new BigcommerceExistingTokenFilter(this.authorizedClientService, INSTALL_PATH), BigcommerceOriginFilter.class);
http.addFilterBefore(new UninstallFilter(UNINSTALL_URI, bigcommerceVerficationStrategy, authorizedClientService, converter), OAuth2AuthorizationRequestRedirectFilter.class);

http.headers().frameOptions().disable()
/*
.and()
.requiresChannel()
.anyRequest()
.requiresSecure()
*/
.and()
.csrf()
.ignoringAntMatchers(UNINSTALL_URI + "/*")
.ignoringAntMatchers("/payment/*") //同时配置
.and()
.authorizeRequests()
.mvcMatchers(LOGIN_ENDPOINT).permitAll()
.mvcMatchers(ANY_INSTALL_PATH).permitAll()
.mvcMatchers("/favicon.ico").permitAll()
.mvcMatchers("/css/*").permitAll()
.mvcMatchers("/js/*").permitAll()
.mvcMatchers("/images/*").permitAll()
.antMatchers("/payment/*").permitAll() //同时配置
.anyRequest().authenticated()
.and()
.logout()
.logoutUrl(LOGOUT_ENDPOINT)
.logoutSuccessUrl(LOGIN_ENDPOINT)
.and()
.oauth2Login()
.authorizationEndpoint()
.authorizationRequestResolver(bigcommerceOauth2AuthorizationRequestResolver)
.and()
.redirectionEndpoint().baseUri(ANY_AUTHORIZATION_REDIRECT_PATH) // same as filterProcessesUrl
.and()
.tokenEndpoint().accessTokenResponseClient(accessTokenResponseClient) // allows for seamless unit testing
.and()
.userInfoEndpoint().userService(userService)
.and()
.successHandler(successHandler)
.loginPage(LOGIN_ENDPOINT) // for use outside of an embedded app since it involves a redirect
.failureUrl(AUTHENTICATION_FALURE_URL); // see AbstractAuthenticationProcessingFilter
}

Powered by AppBlog.CN     浙ICP备14037229号

Copyright © 2012 - 2021 APP开发技术博客 All Rights Reserved.

访客数 : | 访问量 :