我正在使用spring-boot-starter-security-2.4.2。我收到的问题
CSRF令牌已关联到此客户端
在Postman中使用时。
这里我使用的是Spring Cloud Gateway,并为此添加了Spring Security。
POST: localhost:8080/auth/login
body: {
"username": "user",
"password": "pass"
}
我也尝试过卷曲:
curl -d "username=user1&password=abcd" -X POST http://localhost:8080/auth/login
以下是我的Spring Security配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
http=http
.cors()
.and()
.csrf().disable();
http=http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and();
http=http
.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationEntryPoint)
.and();
http
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/auth/login/").permitAll()
.antMatchers(HttpMethod.POST, "/public/user/links").permitAll()
.anyRequest().authenticated();
http
.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
这个问题在进行了大量试验后得到了解决
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class WebSecurityConfig {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private SecurityContextRepository securityContextRepository;
@Autowired
private JwtWebFilter jwtWebFilter;
@Bean
public SecurityWebFilterChain securitygWebFilterChain(ServerHttpSecurity http) {
return http
.exceptionHandling()
.authenticationEntryPoint((swe, e) -> {
return Mono.fromRunnable(() -> {
swe.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED);
});
}).accessDeniedHandler((swe, e) -> {
return Mono.fromRunnable(() -> {
swe.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
});
}).and()
.csrf().disable()
.authenticationManager(authenticationManager)
.securityContextRepository(securityContextRepository)
.authorizeExchange()
.pathMatchers("/auth/login").permitAll()
.anyExchange().authenticated()
.and().addFilterAfter(jwtWebFilter, SecurityWebFiltersOrder.FIRST)
.build();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
它与网关服务m一起工作得很好,但与下游服务不同。filter没有调用其他eureka客户端。有人能帮忙吗?