尽管有 .permitAll() 却触发了未经授权的请求

Posted 2023-02-27

技术标签:

【中文标题】尽管有 .permitAll() 却触发了未经授权的请求【英文标题】：Spring unauthorized request despite having .permitAll() 【发布时间】：2020-09-16 21:54:52 【问题描述】：

这是配置类：

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter 
    @Value("$allowed-origins")
    String[] allowedOrigins;

    @Override
    protected void configure(HttpSecurity http) throws Exception 
        http.headers().frameOptions().disable(); // To be able to see h2 console
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers(HttpMethod.POST, "/api/transform-user").authenticated()
                .anyRequest().permitAll()
                .and()
                .cors()
                .and()
                .httpBasic().realmName("RDF-TRANSFORMER")
                .and()
                .csrf().disable();
    

    @Bean
    CorsConfigurationSource corsConfigurationSource() 
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowedOrigins(Arrays.asList(allowedOrigins));
        corsConfiguration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
        corsConfiguration.setAllowedHeaders(Arrays.asList("*"));
        corsConfiguration.setAllowCredentials(true);
        corsConfiguration.setAllowedOrigins(Arrays.asList(("*")));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", corsConfiguration);
        return source;
    

    @Bean
    public SecurityEvaluationContextExtension securityEvaluationContextExtension() 
        return new SecurityEvaluationContextExtension();

您可以看到，除了对未经过身份验证的用户的转换用户调用之外，我已启用所有请求。

但是当我调用端点 /api/identity 我得到这个响应：

"timestamp":"2020-05-29T10:35:47.058+0000","status":401,"error":"Unauthorized","message":"Unauthorized","path":"/api/identity"

编辑：我刚刚看到部署应用程序时出现此错误：

  [2020.05.29 12:44:21] (Coverage): Error during class instrumentation: org.springframework.security.config.annotation.authentication.configurers.ldap.LdapAuthenticationProviderConfigurer: java.lang.RuntimeException: java.io.IOException: Class not found

【问题讨论】：

【参考方案1】：

安全配置顺序不正确。试试下面的一个 -

 @Override
protected void configure(HttpSecurity http) throws Exception 
    http.headers().frameOptions().disable(); // To be able to see h2 console
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.POST, "/api/transform-user").permitAll()
            .anyRequest().authenticated()
            .and()
            .cors()
            .and()
            .httpBasic().realmName("RDF-TRANSFORMER")
            .and()
            .csrf().disable();

【讨论】：

以上是关于尽管有 .permitAll() 却触发了未经授权的请求的主要内容，如果未能解决你的问题，请参考以下文章

尽管有 CORS，但在使用 jHipster oAuth 时出现未经授权的错误

Spring Security - 401未经授权的访问

带有 RequestHeaderMatcher 的 Spring Boot Security PermitAll 不起作用

Spring Security - permitAll() 不允许未经身份验证的访问

H2 控制台和 Spring Security - permitAll() 不起作用

Rapidapi & 401 未经授权的响应