Spring Boot Security - 如果用户未通过 Oauth2 进行身份验证,如何禁用对 swagger ui 页面的端点的访问
Posted
技术标签:
【中文标题】Spring Boot Security - 如果用户未通过 Oauth2 进行身份验证,如何禁用对 swagger ui 页面的端点的访问【英文标题】:Spring Boot Security - How to disable access to endpoints for swagger ui page if the user is not authenticated with Oauth2 【发布时间】:2021-09-21 10:57:02 【问题描述】:如果用户未通过 Oauth2(swagger ui 页面上的授权按钮)进行身份验证,我正在尝试禁用对 "/v2/api-docs"
端点的访问。
我的 spring 安全配置如下:
@配置 @EnableResourceServer 公共类 ResourceServerConfig 扩展 ResourceServerConfigurerAdapter
@Override
public void configure(HttpSecurity http) throws Exception
http.authorizeRequests().antMatchers("/", "/api/health", "/api/info").permitAll().antMatchers("/api/v1/**").
authenticated();
以及我配置swagger Oauth2身份验证的这个类
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter
private static final String USER_INVALID = "User Name or Password is invalid";
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
DataSource dataSource;
@Autowired
@Qualifier("customUserDetailsService")
private UserDetailsService userDetailsService;
@Bean
public PasswordEncoder passwordEncoder()
return new BCryptPasswordEncoder();
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception
security.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated").allowFormAuthenticationForClients().passwordEncoder(passwordEncoder());
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception
clients.jdbc(dataSource);
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception
endpoints.tokenStore(new JdbcTokenStore(dataSource)).authenticationManager(this.authenticationManager).userDetailsService(userDetailsService)
.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST, HttpMethod.PUT).exceptionTranslator(ex -> ResponseEntity.status(
HttpStatus.UNAUTHORIZED).body(OAuth2Exception.create(OAuth2Exception.UNAUTHORIZED_CLIENT, USER_INVALID))).;
@Bean
public FilterRegistrationBean<CorsFilter> corsFilter()
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean<CorsFilter> bean = new FilterRegistrationBean<CorsFilter>(new CorsFilter(source));
bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
return bean;
在 application.properties 我添加以下属性:
host.full.dns.auth.link=http://oauthserver.example.com:8081 app.client.id=test-client app.client.secret=clientSecret auth.server.schem=http
如果用户未通过 Oauth2 进行身份验证,我该如何禁用对 api-docs 的访问?
【问题讨论】:
【参考方案1】:swagger-ui.html 调用/v2/api-docs
来填充页面
敏感信息。所以,我覆盖doFilterInternal
from
OncePerRequestFilter
。如果 swagger-ui 调用文档
然后通话将通过。如果用户尝试调用
文档直接它会显示错误的请求。
@组件 公共类 CustomFilter 扩展 OncePerRequestFilter @Override protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) 抛出 ServletException, IOException 字符串路径 = httpServletRequest.getRequestURI(); 字符串授权 = httpServletRequest.getHeader("Referer"); if ("/v2/api-docs".equals(path) && authorization.isEmpty()) httpServletResponse.sendError(HttpStatus.BAD_REQUEST.value(), "Invalid Locale"); 返回; filterChain.doFilter(httpServletRequest, httpServletResponse);
swagger-ui.html 文件现在是静态资源。并且对于 swagger-ui.html 已经在我的 swagger-ui.html 上受到保护 更改了以下内容:
<script type="text/javascript">
$(function ()
var url = window.location.search.match(/url=([^&]+)/);
var auth = window.sessionStorage.getItem("Authorization");
if (url && url.length > 1)
url = decodeURIComponent(url[1]);
else if (auth)
url = "/v2/api-docs";
// some code
window.swaggerUi.load();
swaggerUi.api.clientAuthorizations.add("oauth2schema",new SwaggerClient.ApiKeyAuthorization("Authorization",'Bearer '+auth,"header"));
function log()
if ('console' in window)
console.log.apply(console, arguments);
【讨论】:
以上是关于Spring Boot Security - 如果用户未通过 Oauth2 进行身份验证,如何禁用对 swagger ui 页面的端点的访问的主要内容,如果未能解决你的问题,请参考以下文章
安全框架Spring Boot 整合 Spring Security
Spring Boot Security 基于角色的访问控制
已在Spring Boot / Security注册中验证电子邮件
Spring boot json错误媒体类型和spring security