我使用 Spring Security 和 oatuh 2 资源服务器。 我已配置为允许某些端点无需身份验证。例如:/actuator/health
身份验证检查得到正确处理,/actuator API 调用在没有身份验证标头的情况下进行,但仍然调用 ServerAuthenticationEntryPoint,在我的案例中记录错误。
我看到 ServerAuthenticationEntryPoint.commence 在不允许的 API 上被调用了两次,而在允许的 API 上它被调用了一次。所以有些东西正在第二次调用 ServerAuthenticationEntryPoint.commence。
配置:
我尝试通过 permitAll:
http
//Disable Http Basic Auth and CSRF (not required because no cookies are used)
.httpBasic().disable().csrf().disable()
//All request need to be authenticated except OPTIONS and /actuator/**
.authorizeExchange()
//Allow all actuator calls
.pathMatchers("/actuator/**").permitAll()
//Any other exchange need to be authenticated
.anyExchange().authenticated()
//Do not allow sessions
.and().securityContextRepository(NoOpServerSecurityContextRepository.getInstance())
//Exception Handling
.exceptionHandling().authenticationEntryPoint(new AuthenticationErrorHandler())
//JWT validation via OAuth Resource Server
.and().oauth2ResourceServer().jwt();
通过 NegatedServerWebExchangeMatcher:
http
//Disable Http Basic Auth and CSRF (not required because no cookies are used)
.httpBasic().disable().csrf().disable()
//Allow all actuator calls
.securityMatcher(new NegatedServerWebExchangeMatcher(
ServerWebExchangeMatchers.pathMatchers("/actuator/**")))
.authorizeExchange()
//Any other exchange need to be authenticated
.anyExchange().authenticated()
//Do not allow sessions
.and().securityContextRepository(NoOpServerSecurityContextRepository.getInstance())
//Exception Handling
.exceptionHandling().authenticationEntryPoint(new AuthenticationErrorHandler()).and()
//JWT validation via OAuth Resource Server
.oauth2ResourceServer().jwt();