小贝子编程

JHipster Microservice CORS



有没有办法通过网关访问微服务API而无需身份验证?例如,如果我有一个公共登陆页,需要从微服务API读取数据。我启用了CORS,并通过Swagger测试了API,它在网关应用程序中运行良好;然而,如果我使用CURL调用API,我会得到一个未经授权的错误。

这是我试图执行的CURL命令:

curl -X 'GET' 
'http://localhost:8080/services/tajvoteservice/api/landing-page-by-organizations' 
-H 'accept: */*' 
-H 'X-XSRF-TOKEN: 5d3e3faf-3a3d-4905-bdea-f5ce305d3672'

这是我得到的错误:

{"type":"https://www.jhipster.tech/problem/problem-with-message","title":"Unauthorized","status":401,"detail":"Not Authenticated","path":"/services/tajvoteservice/api/landing-page-by-organizations","message":"error.http.401"}%

这是我的SecurityConfiguration.java配置方法:

@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(problemSupport)
.accessDeniedHandler(problemSupport)
.and()
.headers()
.contentSecurityPolicy(jHipsterProperties.getSecurity().getContentSecurityPolicy())
.and()
.referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
.and()
.featurePolicy("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; fullscreen 'self'; payment 'none'")
.and()
.frameOptions()
.deny()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/auth-info").permitAll()
.antMatchers("/api/admin/**").hasAuthority(AuthoritiesConstants.ADMIN)
.antMatchers("/api/landing-page-by-organizations/**").permitAll()
.antMatchers("/api/**").authenticated()
.antMatchers("/management/health").permitAll()
.antMatchers("/management/health/**").permitAll()
.antMatchers("/management/info").permitAll()
.antMatchers("/management/prometheus").permitAll()
.antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(authenticationConverter())
.and()
.and()
.oauth2Client();
// @formatter:on
}

请告知。

谢谢Marziou先生。我在网关的SecurityConfiguration.java中向springSecurityFilterChain方法添加了路径匹配器:

.pathMatchers("/services/tajvoteservice/api/landing-page-by-organizations/**").permitAll()

因此,我的网关SecurityConfiguration的springSecurityFilterChain方法如下:

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
// @formatter:off
http
.securityMatcher(new NegatedServerWebExchangeMatcher(new OrServerWebExchangeMatcher(
pathMatchers("/app/**", "/i18n/**", "/content/**", "/swagger-ui/**", "/swagger-resources/**", "/v2/api-docs", "/v3/api-docs", "/test/**"),
pathMatchers(HttpMethod.OPTIONS, "/**")
)))
.csrf()
.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
.and()
// See https://github.com/spring-projects/spring-security/issues/5766
.addFilterAt(new CookieCsrfFilter(), SecurityWebFiltersOrder.REACTOR_CONTEXT)
.addFilterAt(new SpaWebFilter(), SecurityWebFiltersOrder.AUTHENTICATION)
.exceptionHandling()
.accessDeniedHandler(problemSupport)
.authenticationEntryPoint(problemSupport)
.and()
.headers()
.contentSecurityPolicy(jHipsterProperties.getSecurity().getContentSecurityPolicy())
.and()
.referrerPolicy(ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
.and()
.featurePolicy("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; fullscreen 'self'; payment 'none'")
.and()
.frameOptions().disable()
.and()
.authorizeExchange()
.pathMatchers("/").permitAll()
.pathMatchers("/*.*").permitAll()
.pathMatchers("/api/auth-info").permitAll()
.pathMatchers("/services/tajvoteservice/api/landing-page-by-organizations/**").permitAll()
.pathMatchers("/api/admin/**").hasAuthority(AuthoritiesConstants.ADMIN)
.pathMatchers("/api/**").authenticated()
.pathMatchers("/services/**").authenticated()
.pathMatchers("/management/health").permitAll()
.pathMatchers("/management/health/**").permitAll()
.pathMatchers("/management/info").permitAll()
.pathMatchers("/management/prometheus").permitAll()
.pathMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN);
http.oauth2Login()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter());
http.oauth2Client();
// WebFlux
http.redirectToHttps(redirect -> redirect
.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")));
// @formatter:on
return http.build();
}

现在我可以运行CURL命令:

curl -X 'GET' 
'http://localhost:8080/services/tajvoteservice/api/landing-page-by-organizations/acfad1dd-2570-4900-a5c2-8f496f88527c'

瞧,我有JSON数据和组织信息!

再次感谢Marziou先生!

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium