我试图弄明白为什么在springbootapi中使用刷新令牌时总是得到401状态。
这是 Postman 的请求:
但是auth endpoind没有问题
我不知道为什么会这样。
这是我为端点设置的安全措施。
package com.bolsadeideas.apirest.auth;
import java.util.Arrays;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
// configuracion centralizada de la seguridad de las rutas
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers(HttpMethod.GET, "/api/clientes", "/api/clientes/page/**", "/api/uploads/img/**", "/images/**","/oauth/**").permitAll()
.antMatchers(HttpMethod.POST, "/oauth/**").permitAll()
.antMatchers(HttpMethod.GET, "/api/clientes/{id}").hasAnyRole("USER", "ADMIN")
.antMatchers(HttpMethod.POST, "/api/clientes/upload").hasAnyRole("USER", "ADMIN")
.antMatchers(HttpMethod.POST, "/api/clientes").hasRole("ADMIN")
.antMatchers("/api/clientes/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and().cors().configurationSource(corsConfigurationSource());
}
// PASO 1 crear en bean (metodo inyectable) de la configuracion del cors
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration config = new CorsConfiguration();
config.setAllowedOrigins(Arrays.asList("http://localhost:4200"));
config.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
config.setAllowCredentials(true);
config.setAllowedHeaders(Arrays.asList("Content-Type", "Authorization"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", config);
return source;
}
// PASO 2 registra esta configuracion y la pasa a los interceptores del spring security
@Bean
public FilterRegistrationBean<CorsFilter> corsFilter(){
FilterRegistrationBean<CorsFilter> bean = new FilterRegistrationBean<CorsFilter>(new CorsFilter(corsConfigurationSource()));
bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
return bean;
}
}如你所见,我添加了路线 .antMatchers(HttpMethod.POST, "/oauth/**").permitAll() 但还是不行。
这是整个项目(是一个教育单元)´(项目)
https://github.com/gerguevara/rest-api-springboot/tree/main/src/main/java/com/bolsadeideas/apirest/auth
1条答案
按热度按时间pes8fvy91#
你忘记使用存储,所以你没有存储刷新令牌,这就是为什么你不能得到它,在 Postman 不要忘记添加基本身份验证。