spring 如何在Sping Boot 3或更高版本中允许所有匿名访问?

8i9zcol2  于 2022-12-26  发布在  Spring
关注(0)|答案(2)|浏览(301)

从2.7.6升级到Sping Boot 3.0.0后,无法访问公共API。

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http
        .csrf(CsrfConfigurer::disable)
        .authorizeHttpRequests(requests -> requests
            .anyRequest().authenticated())
            .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
            .build();
}

@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
    return web -> web
                     .ignoring()
                         .requestMatchers(CorsUtils::isPreFlightRequest)    
                         .requestMatchers("/actuator/**", "/graphiql/**", "/voyager/**", "/vendor/**", "/rest/**",
                             "/swagger-ui/**", "/v3/api-docs/**");
}
spring

2条答案

按热度按时间
11dmarpk

11dmarpk1#

你就快到了:将带有permitAllrequestMatchers移动到SecurityFilterChain定义(并删除WebSecurityCustomizer):

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http.csrf(CsrfConfigurer::disable)
        .authorizeHttpRequests(requests -> requests
            .requestMatchers("/resources/**", "/signup", "/about").permitAll() 
            .anyRequest().authenticated())
        .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
        .build();
}

注意事项:

  • 如果不同时禁用http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)会话,则永远不要禁用CSRF保护
  • CORS也配置了安全过滤器链:http.cors().configurationSource(corsConfigurationSource())
  • 您可能需要通过向JWToauth2ResourceServer配置器提供您自己的jwtAuthenticationConverter,将角色、组或授权服务器作为私有声明填充的任何内容Map到Spring授权

您可以在没有Java conf的情况下(只有几个属性)使用thin wrappers围绕spring-boot-starter-oauth2-resource-server完成以上所有操作我写道:
x一个一个一个一个x一个一个二个一个x一个一个三个一个
完整的(简短的)教程(仅包含spring库或"my" Package 器):https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials

赞(0)分享  回复(0)举报  2022-12-26
e0bqpujr

e0bqpujr2#

方法没有太大变化。
样品:

@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
    http
        // ...
        .authorizeHttpRequests(authorize -> authorize                                  
            .requestMatchers("/resources/**", "/signup", "/about").permitAll()         
            .requestMatchers("/admin/**").hasRole("ADMIN")                             
            .requestMatchers("/db/**").access(new WebExpressionAuthorizationManager("hasRole('ADMIN') and hasRole('DBA')"))   
            // .requestMatchers("/db/**").access(AuthorizationManagers.allOf(AuthorityAuthorizationManager.hasRole("ADMIN"), AuthorityAuthorizationManager.hasRole("DBA")))   
            .anyRequest().denyAll()                                                
        );

    return http.build();
}

https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html提供
编辑:要完成我的回答,您可以访问所有方法,因此要设置资源服务器,您需要添加以下内容:

@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
    http
        // ...
        .authorizeHttpRequests(authorize -> authorize                                  
            // ...                                                
        )
        .and()
        .oauth2ResourceServer( OAuth2ResourceServerConfigurer::jwt )

    return http.build();
}

请记住添加与OAuth2提供程序对应的变量

spring.security.oauth2.resourceserver.jwt.issuer-uri=https://{your-ouath2-provider}/{issuer-uri}
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://{your-ouath2-provider}/{jwk-uri} (optionnal)

链接取决于您的oauth2提供程序。
有关资源所有者服务器的详细信息:https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/index.html

赞(0)分享  回复(0)举报  2022-12-26
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com