可能我在这里做错了,我只是想不通…
我在同一应用程序中具有Oauth2身份验证服务器和资源服务器。
资源服务器配置:
@Configuration @EnableResourceServer @EnableGlobalMethodSecurity(prePostEnabled = true) @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER-1) public class ResourceServerConfig extends ResourceServerConfigurerAdapter { public static final String RESOURCE_ID = "resources"; @Override public void configure(final ResourceServerSecurityConfigurer resources) { resources .resourceId(RESOURCE_ID); } @Override public void configure(final HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers(HttpMethod.GET, "/**").access("#oauth2.hasScope('read')") .antMatchers(HttpMethod.POST, "/**").access("#oauth2.hasScope('write')") .antMatchers(HttpMethod.PUT, "/**").access("#oauth2.hasScope('write')") .antMatchers(HttpMethod.PATCH, "/**").access("#oauth2.hasScope('write')") .antMatchers(HttpMethod.DELETE, "/**").access("#oauth2.hasScope('write')") .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() .antMatchers(HttpMethod.GET, "/health").permitAll(); } }
认证服务器配置:
@Configuration @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Override public void configure(final AuthenticationManagerBuilder auth) throws Exception { auth .userDetailsService(userDetailsService) .passwordEncoder(new BCryptPasswordEncoder()); } @Override protected void configure(final HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and().httpBasic().realmName("OAuth Server"); } }
当我尝试访问/ health时,获得了HTTP / 1.1 401未经授权。
如何说服Spring Boot使/ health匿名访问?
正如Deinum先生所说:
指定映射的顺序也就是查询映射的顺序。第一场比赛获胜…由于/ 匹配所有内容,因此/ health映射无用。将其移到/ 映射上方以使其起作用。– M. Deinum 8月20日17:56
