Spring Security 5.2:在authorizeRequests()中的permitAll()不适用于POST。

huangapple go评论102阅读模式
英文:

Spring security 5.2: permitAll() in authorizeRequests() does not work for POST

问题

我已翻译您提供的内容:

我已经获得了 RestController

@RestController
public class HelloController {

    @GetMapping("/no-restriction/action")
    public String action() {
        return "hello";
    }

    @PostMapping("/no-restriction/action")
    public String action(@RequestBody String message) {
        return String.format("You posted '%s'.", message);
    }
}

以及配置

@Bean
public OpaqueTokenIntrospector opaqueTokenIntrospector() {
    return token -> null;// TODO
}

@EnableWebSecurity
protected static class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests(authorizeRequests ->
            authorizeRequests
                .antMatchers("/no-restriction/**").permitAll()
                .anyRequest().authenticated())
            .oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
    }
}

HTTP 请求 GET /no-restriction/action(没有任何授权标头)返回 200 OK 和文本 hello。但是 POST /no-restriction/action 与任何请求主体不起作用,它会返回 401 Unauthorized。为什么 POST 不起作用?

英文:

I have got the RestController

@RestController
public class HelloController {

	@GetMapping("/no-restriction/action")
	public String action() {
		return "hello";
	}

	@PostMapping("/no-restriction/action")
	public String action(@RequestBody String message) {
		return String.format("You posted '%s'.", message);
	}
}

and the configuration

@Bean
public OpaqueTokenIntrospector opaqueTokenIntrospector() {
	return token -> null;// TODO
}

@EnableWebSecurity
protected static class OAuth2ResourceServerSecurityConfiguration
extends WebSecurityConfigurerAdapter {

	@Override
	public void configure(HttpSecurity http) throws Exception {
		http.authorizeRequests(authorizeRequests -> 
		    authorizeRequests
			    .antMatchers("/no-restriction/**").permitAll()
				.anyRequest().authenticated())
			.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
	}
}

The HTTP request GET /no-restriction/action (without any authorization header) returns 200 OK and the text hello. But POST /no-restriction/action with any request body does not work, it will return 401 Unauthorized. Why does the POST not work?

答案1

得分: 3

您可能在您的POST请求中缺少了CSRF令牌。

Spring Security默认启用CSRF保护。

但您可以通过以下方式禁用它:

 @Override
 protected void configure(HttpSecurity http) throws Exception {
	 http.csrf().disable()
          ...;

或者

 @Override
 protected void configure(HttpSecurity http) throws Exception {
     http.csrf(csrf -> csrf.disable())
          ...;
英文:

You probably missing a CSRF-token in your post-request.

CSRF protection is enabled by default by Spring security.

But you can disable this by:

 @Override
 protected void configure(HttpSecurity http) throws Exception {
	 http.csrf().disable()
          ...;

or

 @Override
 protected void configure(HttpSecurity http) throws Exception {
     http.csrf(csrf -> csrf.disable())
          ...;

huangapple
  • 本文由 发表于 2020年1月3日 23:06:09
  • 转载请务必保留本文链接:https://go.coder-hub.com/59580884.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定