将Spring Security 与graphql结合使用

2nc8po8w  于 2021-09-30  发布在  Java
关注(0)|答案(1)|浏览(371)

在我的 WebSecurityConfigurerAdapter 我使用以下方法:

private final AuthenticationProvider authenticationProvider;
    private final JWTFilter jwtFilter;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) {
        auth.authenticationProvider(authenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .cors().disable()
                .authorizeRequests()
                .antMatchers("/graphql").permitAll()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .addFilterBefore(jwtFilter, RequestHeaderAuthenticationFilter.class); // Filter
    }

但是,在我的graphqlmutationresolver中,我无法访问以下方法(错误代码:403-无日志):

@PreAuthorize("isAnonymous()")
public User registerUser(String email, String passwordHash, String associationLocation) throws ChangeSetPersister.NotFoundException {
        return userService.registerUser(email, passwordHash, associationService.findAssociationByPlaceName(associationLocation));
}

关于安全配置有什么想法吗@preauthorize(“isanonymous()”)部分正确吗?

ar7v8xwq

ar7v8xwq1#

多亏了@marcus hert da coregio,我找到了调试应用程序的方法,并发现问题是由我编写httpsecurity配置语句的顺序引起的——类似于下面的帖子:spring security始终返回http 403
这对我来说很有效(因此csrf和cors最终需要禁用):

@Override
protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/graphql").permitAll()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .addFilterBefore(jwtFilter, RequestHeaderAuthenticationFilter.class) // Filter
                .cors().disable()
                .csrf().disable();
}

相关问题