spring config server encrypt forbidden

一世执手 提交于 2019-12-09 13:32:30

问题


I've configured a spring cloud config server to use oAuth2 for security. Everything is working well, except the encrypt end point. When I try to access /encrypt I get a 403 Forbidden. I am including the Authorization Bearer token in the header. Is there a way to allow the encrypt end point to be called when the server is secured with oAuth, or is it always blocked? Let me know if you would like to see any config files for this server.

Just for reference, here are the things that are working.

  • calling /encrypt/status produces {"status":"OK"}
  • The git repository is being pulled because I can access a property file from the server.
  • oAuth authentication is working with Google because it takes me through the logon process.

    Here is the spring security settings.

    security: 
     require-ssl: true 
     auth2:  
       client:  
         clientId: PROVIDED BY GOOGLE  
         clientSecret: PROVIDED BY GOOGLE  
         accessTokenUri: https://www.googleapis.com/oauth2/v4/token  
         userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth  
         scope:  
            - openid  
            - email  
            - profile  
      resource:  
         userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo  
         preferTokenInfo: true  

    server:  
       port: 8443  
       ssl:  
         key-store-type: PKCS12  
         key-store: /spring-config-server/host/tomcat-keystore.p12  
         key-alias: tomcat  
         key-store-password: ${KEYSTORE_PASSWORD}

Here are my dependencies from the POM file so you can see the version of the libraries I'm using.

<parent>  
    <groupId>org.springframework.boot</groupId>  
    <artifactId>spring-boot-starter-parent</artifactId>  
    <version>2.0.0.RELEASE</version>  
    <relativePath/>  
    <!-- lookup parent from repository -->  
</parent>  
<properties>  
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>  
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>  
    <java.version>1.8</java.version>  
    <spring-cloud.version>Finchley.M8</spring-cloud.version>  
</properties>  
<dependencies>  
    <dependency>  
        <groupId>org.springframework.cloud</groupId>  
        <artifactId>spring-cloud-config-server</artifactId>  
    </dependency>  
    <dependency>  
        <groupId>org.springframework.boot</groupId>  
        <artifactId>spring-boot-starter-test</artifactId>  
    </dependency>  
    <dependency>  
        <groupId>org.springframework.cloud</groupId>  
        <artifactId>spring-cloud-security</artifactId>  
    </dependency>  
</dependencies>  
<dependencyManagement>  
    <dependencies>  
        <dependency>  
            <groupId>org.springframework.cloud</groupId>  
            <artifactId>spring-cloud-dependencies</artifactId>  
            <version>${spring-cloud.version}</version>  
            <type>pom</type>  
            <scope>import</scope>  
        </dependency>  
    </dependencies>  
</dependencyManagement>  

回答1:


I solve it implementing this WebSecurityConfigurer. It disables CSRF and set basic authentication.In Spring Boot 2.0.0 you cannot disable CSRF using properties it forces you to implement a java security config bean.

package my.package.config.server;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
        .anyRequest().authenticated().and()
        .httpBasic();
;
    }


}

Hope it helps




回答2:


To fix this issue, I needed to extend WebSecurityConfigurerAdapter and in the configure method I disabled CSRF token.

          http
            .csrf().disable()
            .antMatcher("/**")                
            .authorizeRequests()
            .antMatchers("/", "/login**", "/error**")
            .permitAll()
            .anyRequest().authenticated();


来源:https://stackoverflow.com/questions/49281778/spring-config-server-encrypt-forbidden

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!