spring-security 所有通过OpenApi的请求都返回403禁止

i2byvkas  于 2022-11-11  发布在  Spring
关注(0)|答案(2)|浏览(207)

有一个使用Spring SecuritySpring Boot应用程序。将OpenApi Swagger添加到项目中。登录请求返回403,即使添加到 permitAll() 中。通过Postman,一切都正常。

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    @Bean
    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();
    }

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration)
            throws Exception {
        return authenticationConfiguration.getAuthenticationManager();
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .cors().disable().csrf().disable().authorizeRequests()
                .antMatchers("/api/user/login").permitAll()
                .anyRequest().authenticated();

        return http.build();
    }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring()
                           .antMatchers("/v3/api-docs/**")
                           .antMatchers("configuration/**")
                           .antMatchers("/swagger*/**")
                           .antMatchers("/webjars/**")
                           .antMatchers("/swagger-ui/**");
    }
}

我尝试在webSecurityCustomizer()方法中注册,但仍然没有任何效果。
build.gradle:

dependencies {
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web', version: '2.7.2'
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-jdbc', version: '2.7.2'
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-security', version: '2.7.2'

    implementation group: 'com.microsoft.sqlserver', name: 'mssql-jdbc', version: '9.4.1.jre16'

    implementation group: 'org.json', name: 'json', version: '20220320'

    implementation group: 'org.springdoc', name: 'springdoc-openapi-ui', version: '1.6.10'

    implementation group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'

    compileOnly 'org.projectlombok:lombok:1.18.24'

    annotationProcessor 'org.projectlombok:lombok:1.18.24'
}
des4xlb0

des4xlb01#

我试着用这个配置,这些对我有用

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests().antMatchers( apiUrl + "/login","/user-openapi/**", "/swagger-ui/**", "/v3/api-docs/**","/index.html").permitAll()
                .anyRequest().authenticated()
                .and().sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        http.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/swagger-ui/**", "/v3/api-docs/**");
    }

`

7y4bm7vi

7y4bm7vi2#

我也遇到了同样的问题。我决定再次请求我的swagger UI,同时我打开了Safari浏览器的开发者选项,在那里我看到了哪些请求(路径)被过滤掉了,Spring Security不允许通过!

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
            http. // ...
            .antMatchers("/api/swagger-ui/**", "/v3/api-docs/**").permitAll()
            // ...

这对我有用。
我使用的是Sping Boot 2.7.3版和Springdoc-openapi-ui 1.6.10版

相关问题