问题
If I use a token I can access the user page fine http://localhost:8901/auth/user.
but if I try to get only the signup/registration "api call" supposed to be accessible by anyone I get : "Full authentication is required to access this resource".
I tried the following
httpSecurity
.csrf()
.disable()
.authorizeRequests()
.antMatchers("/registration")
.permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.httpBasic();
then tried to see if I could enable everything but would still get the same error:
httpSecurity
.csrf()
.disable()
.authorizeRequests()
.antMatchers("/**").permitAll()
.and()
.httpBasic();
Some of the classes I have
@Configuration
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
@Bean
public UserDetailsService userDetailsServiceBean() throws Exception {
return super.userDetailsServiceBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user1").password("{noop}password1").roles("USER")
.and()
.withUser("user2").password("{noop}password2").roles("USER", "ADMIN");
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception
{
httpSecurity
.csrf()
.disable()
.authorizeRequests()
.antMatchers("/**").permitAll()
.and()
.httpBasic();
}
}
application.yml file
#Setting the logging levels for the service
logging:
level:
com.netflix: DEBUG
org.springframework.web: DEBUG
com.test: DEBUG
eureka:
instance:
preferIpAddress: true
client:
service-url:
default-zone: http://localhost:8761/eureka/
register-with-eureka: true
fetch-registry: true
ribbon:
eureka:
enabled: true
server:
port: 8901
servlet:
context-path: /auth
bootstrap.yml file:
spring:
application:
name: authenticationservice
profiles:
active:
default
cloud:
config:
enabled: true
Main class
@SpringBootApplication
@RestController
@EnableOAuth2Client
@EnableResourceServer
@EnableAuthorizationServer
public class Application {
private static final Logger logger = LoggerFactory.getLogger(Application.class);
@Autowired
private UserRepository userRepository;
@RequestMapping(value = { "/user" }, produces = "application/json")
public Map<String, Object> user(OAuth2Authentication user) {
Map<String, Object> userInfo = new HashMap<>();
userInfo.put("user", user.getUserAuthentication().getPrincipal());
userInfo.put("authorities", AuthorityUtils.authorityListToSet(user.getUserAuthentication().getAuthorities()));
return userInfo;
}
@RequestMapping(value = {"/validate"}, produces = "application/json")
public User validate(OAuth2Authentication user)
{
return userRepository.findByUserName(user.getName());
}
@PostMapping("/registration")
@ResponseStatus(code = HttpStatus.CREATED)
public void register(@RequestBody UserRegistrationDetails userRegDetails) {
logger.debug("Entering the register method");
if (StringUtils.isEmpty(userRegDetails.getUserName()) || EmailValidator.emailValidator(userRegDetails.getUserName()) == false)
{
throw new InvalidException("Invalid email provided");
}
User existingUser = userRepository.findByUserName(userRegDetails.getUserName());
if (existingUser != null)
throw new InvalidException("The User already exists");
if (EmailValidator.emailValidator(userRegDetails.getPassword()))
throw new InvalidException("The provided password is invalid");
User user = User.UserBuilder
.builder()
.withEnabled(true)
.withUserName(userRegDetails.getUserName()).withPassword(userRegDetails.getPassword())
.withEnabled(false)
.withAuthorizationCode("SOMECODE")
.withApplicationId(userRegDetails.getApplicationId())
.build();
userRepository.save(user);
}
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
Edit, adding OAuth2Config
@Configuration
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private DatabaseUserRegistrationDetailsService userRegistrationDetailsService;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("test")
.secret("{noop}somesecret")
.authorizedGrantTypes("refresh_token", "password", "client_credentials")
.scopes("webclient", "mobileclient");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.authenticationManager(authenticationManager)
.userDetailsService(userRegistrationDetailsService);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.checkTokenAccess("permitAll()");
}
}
回答1:
Your call seems to trigger the Resource-Server parts of the code. That is expecting a token for authorization. Configure the exception like this:
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/registration")
.permitAll();
}
}
You can remove the @EnableResourceServer from the main class.
来源:https://stackoverflow.com/questions/65066896/authorizing-signup-page-to-anyone-with-websecurityconfigureradapter