java H2控制台和Spring Security - permitAll()不工作

vwoqyblh  于 2023-03-16  发布在  Java
关注(0)|答案(5)|浏览(153)

我正在创建rest API并实现Spring Security -一切都运行良好,但我希望(目前,我还在开发中)任何人都能在未经授权的情况下打开localhost:8080/console。

@Override
protected void configure(HttpSecurity http) throws Exception {
    // allow everyone to register an account; /console is just for testing
    http.authorizeRequests().antMatchers("/register", "/console").permitAll();

    http.authorizeRequests().anyRequest().fullyAuthenticated();

    // making H2 console working
    http.headers().frameOptions().disable();

    /*
    https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#when-to-use-csrf-protection
    for non-browser APIs there is no need to use csrf protection
    */
    http.csrf().disable();
}

真正奇怪的是- localhost:8080/register不需要任何身份验证,但/console返回:

{
"timestamp": 1485876313847,
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/console"
}

有人知道怎么修吗?

92dk7w1h

92dk7w1h1#

我也有同样的问题:

csrf().ignoringAntMatchers("/h2-console/**")

最终WebSecurityConfigurerAdapter

http.authorizeRequests().antMatchers("/").permitAll()
            .and()
            .authorizeRequests().antMatchers("/h2-console/**").permitAll()
            .and()
            .headers().frameOptions().disable()
            .and()
            .csrf().ignoringAntMatchers("/h2-console/**")
            .and()
            .cors().disable();
emeijp43

emeijp432#

我通过以下方法解决了问题:

http.headers().frameOptions().disable();
eaf3rand

eaf3rand3#

我有一个类似的配置。你能试试吗?

http
    .authorizeRequests()
        .antMatchers("/register").permitAll()
        .and()
    .authorizeRequests()
        .antMatchers("/console/**").permitAll();
6tdlim6h

6tdlim6h4#

我通过以下方法解决了问题:
http.头文件().帧选项().相同的源文件();

qvsjd97n

qvsjd97n5#

解决人:

http.requestMatchers(toH2Console()).permitAll()

并为toH2Console()导入:

import static org.springframework.boot.autoconfigure.security.servlet.PathRequest.toH2Console;

相关问题