Spring boot:如何跳过特定端点的基本身份验证

Posted

技术标签:

【中文标题】Spring boot:如何跳过特定端点的基本身份验证【英文标题】:Spring boot: How to skip basic-auth for particular endpoint 【发布时间】:2020-01-15 12:58:22 【问题描述】:

我尝试了很多方法,但是当我点击 /healthCheck URL 时,它会提示输入用户名和密码。 我在 EmailsecurityAdapter.java 类中有以下代码

import com.cellpointmobile.email.services.AuthenticationService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class EmailSecurityAdapter extends WebSecurityConfigurerAdapter 

    @Autowired
    AuthenticationService userDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception 
        auth.userDetailsService(userDetailsService);
        auth.authenticationProvider(authenticationProvider());
    


@Override
public void configure(WebSecurity web) throws Exception 
    web
            .ignoring()
            .antMatchers("/healthCheck**");



@Override
protected void configure(HttpSecurity http) throws Exception 
    http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "**/heathCheck/*").permitAll()
            .anyRequest()
            .access("isFullyAuthenticated() and hasAnyRole('ROLE_ADMIN','ROLE_USER')")
            .and()
            .httpBasic();


    @Bean
    public PasswordEncoder passwordEncoder() 
        //https://www.browserling.com/tools/bcrypt
        return new BCryptPasswordEncoder();
    

    @Bean
    public DaoAuthenticationProvider authenticationProvider() 
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        authenticationProvider.setUserDetailsService(userDetailsService);
        authenticationProvider.setPasswordEncoder(passwordEncoder());
        return authenticationProvider;

我应该在 configure() 方法中更改什么以公开访问 healthCheck url?

邮递员回复 GET http://127.0.0.1:8080/heathCheck

<Map>
    <timestamp>2019-09-13</timestamp>
    <status>401</status>
    <error>Unauthorized</error>
    <message>Unauthorized</message>
    <path>/heathCheck</path>
</Map>

【问题讨论】:

【参考方案1】:

使用

@Override
protected void configure(HttpSecurity http) throws Exception 
        http
        .csrf().disable()
        .authorizeRequests()
        .antMatchers(HttpMethod.GET, "**/heathCheck/**").permitAll()
        .anyRequest()
        .access("isFullyAuthenticated() and hasAnyRole('ROLE_ADMIN','ROLE_USER')")
        .and()
        .httpBasic();

或在 configure(WebSecurity web) 中使用 web.ignoring(),这将忽略所有使用它指定的端点的安全过滤器。之后,您可以将其从configure(HttpSecurity http) 中删除,并将configure(WebSecurity web) 保留在configure(HttpSecurity http) 之上。

HttpSecurity vs WebSecurity

 @Override
    public void configure(WebSecurity web) throws Exception 
        web
          .ignoring()
            .antMatchers(HttpMethod.yourMethod, "**/heathCheck/**");

更新:

@Override
        public void configure(WebSecurity web) throws Exception 
            web
              .ignoring()
                .antMatchers(HttpMethod.yourMethod, "**/heathCheck/**");
        

@Override
protected void configure(HttpSecurity http) throws Exception 
            http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "**/heathCheck/*").permitAll()
            .anyRequest()
            .access("isFullyAuthenticated() and hasAnyRole('ROLE_ADMIN','ROLE_USER')");

【讨论】:

它不起作用,当我访问127.0.0.1:8080/healthCheck时弹出输入用户名密码 嗨@PraveenD,你试过configure(WebSecurity web) @PraveenD 你能用你当前的配置更新吗?你是在进入spring security默认登录页面还是什么类型的弹出窗口 @PraveenD 从更新的代码中我可以看到WebSecurity 一直保留在HttpSecurity 之下。首先保留 WebSecurity,然后保留 HttpSecuriy,如更新的答案 嗨@PraveenD,我注意到您有healthcheck 并在heathCheck 两个差异端点提出请求

以上是关于Spring boot:如何跳过特定端点的基本身份验证的主要内容,如果未能解决你的问题,请参考以下文章

Spring Security with Spring Boot:使用过滤器时允许未经身份验证的用户访问特定端点

Spring-Boot REST 服务基本 http 身份验证排除一个端点

如何禁用特定端点的身份验证?

具有基本身份验证和 OAuth 顺序问题的 Spring Boot 安全性

Spring Boot with Spring Boot:将基本身份验证与JWT令牌身份验证相结合[复制]

Spring Boot Security - 如果用户未通过 Oauth2 进行身份验证,如何禁用对 swagger ui 页面的端点的访问