在我的 WebSecurityConfigurerAdapter 我使用以下方法:
private final AuthenticationProvider authenticationProvider;
private final JWTFilter jwtFilter;
@Override
protected void configure(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(authenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().disable()
.authorizeRequests()
.antMatchers("/graphql").permitAll()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.addFilterBefore(jwtFilter, RequestHeaderAuthenticationFilter.class); // Filter
}但是,在我的graphqlmutationresolver中,我无法访问以下方法(错误代码:403-无日志):
@PreAuthorize("isAnonymous()")
public User registerUser(String email, String passwordHash, String associationLocation) throws ChangeSetPersister.NotFoundException {
return userService.registerUser(email, passwordHash, associationService.findAssociationByPlaceName(associationLocation));
}关于安全配置有什么想法吗@preauthorize(“isanonymous()”)部分正确吗?
1条答案
按热度按时间ar7v8xwq1#
多亏了@marcus hert da coregio,我找到了调试应用程序的方法,并发现问题是由我编写httpsecurity配置语句的顺序引起的——类似于下面的帖子:spring security始终返回http 403
这对我来说很有效(因此csrf和cors最终需要禁用):