当我向端点API/order/process/result发送POST REQUEST时,我收到了来自spring Boot 资源服务器的401响应。我需要帮助来确定我是否已经很好地授权了我的端点,以便在我的Sping Boot 安全配置中没有**Authorization header(Bearer)**的情况下被调用
@RestController
@RequestMapping("/api")
public class OrderController {
private final static Logger LOGGER = LoggerFactory.getLogger(OrderController.class);
private final OrderService orderService;
public OrderController(OrderService orderService) {
this.orderService = orderService;
}
@PostMapping(
path = "/order/process/result",
consumes = MediaType.APPLICATION_JSON_VALUE,
produces = MediaType.APPLICATION_JSON_VALUE
)
public String handleStkCallback(@RequestBody String result) {
LOGGER.info(result);
orderService.handleStkCallback(result);
return "{\"responseCode\": \"0\"}";
}
}
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Value("${jwksUri}")
private String jwksUri;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.cors().and().csrf().disable()
.authorizeHttpRequests(auth -> auth
.requestMatchers(POST, "/api/order/process/result").permitAll()
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt
.jwkSetUri(jwksUri)
)
);
return http.build();
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("GET", "POST"));
configuration.setAllowedHeaders(Arrays.asList("*"));
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
1条答案
按热度按时间6ss1mwsb1#
你可以尝试交换这两个指令
"/api/order/process/result").permitAll() .anyRequest().authenticated()
吗?我认为顺序很重要,所以首先尝试使所有端点都需要授权,然后通过声明特定端点不需要授权来覆盖它