Spring OAuth2配置permitAll()无效解决

Joe.Ye 2023-04-01 Spring Security

Spring Security或者OAuth2中设置某个开头的路径拦截,并且放行某个子路径:

@Override
public void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
        .authorizeRequests()
        .antMatchers("/web/user/**").permitAll()
        .antMatchers("/web/**").authenticated()
        .anyRequest().permitAll();

实现先对子路径进行放行,然后操作父路径进行拦截,然后再对其他所有的路径放行,这样就可以实现,拦截/web/开头的路径,但是放行/web/user/和其他所有不是web开头的路径。

注意:声明的顺序,必须先声明范围小的,再声明范围大的

如果下述配置无法放行路径/web/member/member-register

@Override
public void configure(HttpSecurity http) throws Exception {
    //所有请求必须认证通过
    http.authorizeRequests()
        //下边的路径放行
        .antMatchers("/web/member/member-register")
        .permitAll()
        .anyRequest().authenticated()
        .and().csrf().disable();
}

如上资源服务器配置了某个接口进行放行,但是前端请求该接口后依然会拦截认证,主要是因为请求时对每个请求都添加了Authorization头,如果不需要认证,则一定不要添加Authorization请求头,否则Oauth2依然会认证。

如果仍然无效,则同时配置.ignoringAntMatchers("/payment/*").antMatchers("/payment/*").permitAll()

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.addFilterAfter(new BigcommerceOriginFilter(bigcommerceVerficationStrategy, ANY_AUTHORIZATION_REDIRECT_PATH, ANY_INSTALL_PATH), LogoutFilter.class);
    http.addFilterAfter(new BigcommerceExistingTokenFilter(this.authorizedClientService, INSTALL_PATH), BigcommerceOriginFilter.class);
    http.addFilterBefore(new UninstallFilter(UNINSTALL_URI, bigcommerceVerficationStrategy, authorizedClientService, converter), OAuth2AuthorizationRequestRedirectFilter.class);

    http.headers().frameOptions().disable()
            /*
            .and()
            .requiresChannel()
            .anyRequest()
            .requiresSecure()
            */
            .and()
            .csrf()
            .ignoringAntMatchers(UNINSTALL_URI + "/*")
            .ignoringAntMatchers("/payment/*")  //同时配置
            .and()
            .authorizeRequests()
            .mvcMatchers(LOGIN_ENDPOINT).permitAll()
            .mvcMatchers(ANY_INSTALL_PATH).permitAll()
            .mvcMatchers("/favicon.ico").permitAll()
            .mvcMatchers("/css/*").permitAll()
            .mvcMatchers("/js/*").permitAll()
            .mvcMatchers("/images/*").permitAll()
            .antMatchers("/payment/*").permitAll()  //同时配置
            .anyRequest().authenticated()
            .and()
            .logout()
            .logoutUrl(LOGOUT_ENDPOINT)
            .logoutSuccessUrl(LOGIN_ENDPOINT)
            .and()
            .oauth2Login()
            .authorizationEndpoint()
            .authorizationRequestResolver(bigcommerceOauth2AuthorizationRequestResolver)
            .and()
            .redirectionEndpoint().baseUri(ANY_AUTHORIZATION_REDIRECT_PATH) // same as filterProcessesUrl
            .and()
            .tokenEndpoint().accessTokenResponseClient(accessTokenResponseClient) // allows for seamless unit testing
            .and()
            .userInfoEndpoint().userService(userService)
            .and()
            .successHandler(successHandler)
            .loginPage(LOGIN_ENDPOINT) // for use outside of an embedded app since it involves a redirect
            .failureUrl(AUTHENTICATION_FALURE_URL); // see AbstractAuthenticationProcessingFilter
}

版权声明:
作者:Joe.Ye
链接:https://www.appblog.cn/index.php/2023/04/01/spring-oauth2-config-permitall-invalid/
来源:APP全栈技术分享
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
打赏
海报
Spring OAuth2配置permitAll()无效解决
Spring Security或者OAuth2中设置某个开头的路径拦截,并且放行某个子路径: @Override public void configure(HttpSecurity http) throws Exception { ht……
<<上一篇
下一篇>>
文章目录
关闭
目 录