SpringBoot1.5禁用oauth2安全性
如何在我的Spring应用程序中禁用@RestController安全筛选,或者跳过安全检查,我只想直接访问Spring @RestController中的GET和POST端点,而不需要经过安全筛选。
我正在使用下面的configurations
security:
oauth2:
client:
access-token-validity-seconds: 3600
tokenExtractor:
type: headerpom.xml依赖关系
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
</dependency>春季版
<spring.version>4.3.7.RELEASE</spring.version>
<spring.boot.version>1.5.2.RELEASE</spring.boot.version>回答 2
Stack Overflow用户
发布于 2019-08-23 10:06:33
如果不想删除整个Spring安全性,可以为Spring配置bean中的所有urls添加忽略配置:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(
"/**");
}Stack Overflow用户
发布于 2019-09-10 08:16:50
三种方式
A. I能够绕过spring引导安全筛选,同时将@EnableResourceServer保留在@SpringBootApplication类中
1.permitall for 匿名在ResourceServerConfigurerAdapter覆盖中
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.context.annotation.Configuration;
@Configuration
public class ResourceAccessConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").permitAll().anyRequest().anonymous();<< this will allow any resource endpoint access when the HTTP request Authorization header not available
//http.authorizeRequests().antMatchers("/**").permitAll();<< also can
}
}弹簧引导应用程序初始化器
@SpringBootApplication
@EnableResourceServer << keep this
public class Application extends SpringBootServletInitializer {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}2.删除授权头(从OAuth请求中删除HTTP2.0访问令牌)
B.安全筛选也可以通过删除@EnableResourceServer并在application.yml中设置参数,从而禁用端点。删除@EnableResourceServer时,security将回到默认状态,即org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
1.application.yml,security.ignored属性
security:
ignored: /**2.弹簧引导应用程序初始化器
@SpringBootApplication
//@EnableResourceServer << remove this
public class Application extends SpringBootServletInitializer {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}3.删除与上面相同的授权头
C.也可以通过删除@EnableResourceServer并添加配置类扩展WebSecurityConfigurerAdapter来禁用端点的安全筛选
1.
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").permitAll().anyRequest().authenticated().and().csrf().disable();
}
}2.//@EnableResourceServer与上面的注释相同
3.删除与上面相同的授权头
https://stackoverflow.com/questions/57623630
复制相似问题
腾讯云开发者
