在资源服务器的配置中,添加了请求白名单,如下
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {@Autowiredprivate OAuth2Properties properties;@Overridepublic void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/test/**").permitAll().anyRequest().authenticated().and().csrf().disable(); }@Beanpublic RemoteTokenServices tokenServices() {RemoteTokenServices services = new RemoteTokenServices();services.setCheckTokenEndpointUrl(properties.getTokenInfoUri());services.setClientId(properties.getClientId());services.setClientSecret(properties.getClientSecret());return services;}
}
测试controller
@RestController
@RequestMapping("/test")
public class TestController {@PostMapping("/test1")public String test1() {System.out.println(123);return "123";}@PostMapping("/test2")public String test2() {System.out.println(333);return "222333";}
}
当使用postman正常请求http://localhost:8109/test/test2时,能获取到返回结果
但当请求添加上请求头时(这里是前端做了统一的处理,到后端的请求会统一携带Authorization等token信息),但是对于我的资源服务接口来说,我不想管前端的请求是否携带请求头token,都想根据白名单不进行oauth2的鉴权操作,但是实际是这样还是会触发鉴权
可以通过重写WebSecurityConfigurerAdapter的 configure()方法,使白名单请求不受Spring Security的保护。这样即使请求中包含Authorization头,也不会触发鉴权(在资源服务器中添加)。
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {@Overridepublic void configure(WebSecurity web) throws Exception {web.ignoring().antMatchers("/test/test2");}
}
