java Spring授权服务器不允许访问我的端点

laawzig2  于 2023-06-20  发布在  Java
关注(0)|答案(1)|浏览(130)

当我向端点API/order/process/result发送POST REQUEST时,我收到了来自spring Boot 资源服务器的401响应。我需要帮助来确定我是否已经很好地授权了我的端点,以便在我的Sping Boot 安全配置中没有**Authorization header(Bearer)**的情况下被调用

@RestController
@RequestMapping("/api")
public class OrderController {
    private final static Logger LOGGER = LoggerFactory.getLogger(OrderController.class);
    private final OrderService orderService;

    public OrderController(OrderService orderService) {
        this.orderService = orderService;
    }
 @PostMapping(
            path = "/order/process/result",
            consumes = MediaType.APPLICATION_JSON_VALUE,
            produces = MediaType.APPLICATION_JSON_VALUE
    )
    public String handleStkCallback(@RequestBody String result) {
        LOGGER.info(result);
        orderService.handleStkCallback(result);
        return "{\"responseCode\": \"0\"}";
    }
}
@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Value("${jwksUri}")
    private String jwksUri;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .cors().and().csrf().disable()
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers(POST, "/api/order/process/result").permitAll()
                        .anyRequest().authenticated()
                )
                .oauth2ResourceServer(oauth2 -> oauth2
                        .jwt(jwt -> jwt
                                .jwkSetUri(jwksUri)
                        )
                );
        return http.build();
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("GET", "POST"));
        configuration.setAllowedHeaders(Arrays.asList("*"));
        configuration.setAllowCredentials(true);

        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);

        return source;
    }
}
6ss1mwsb

6ss1mwsb1#

你可以尝试交换这两个指令"/api/order/process/result").permitAll() .anyRequest().authenticated()吗?
我认为顺序很重要,所以首先尝试使所有端点都需要授权,然后通过声明特定端点不需要授权来覆盖它

相关问题