我们使用 jwt 令牌添加 Swagger 安全配置后,swagger 无法访问。 控制台中的错误是:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-qzIUUVyNis8jVHXKlYc4HGAEsn0o42pLmW1do84Uptw='), or a nonce ('nonce-...') is required to enable inline execution.
安全配置代码如下
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
....
@Override
public void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.and()
.authenticationProvider(provider)
.addFilterBefore(authenticationFilter(), AnonymousAuthenticationFilter.class)
.authorizeRequests()
.requestMatchers(PROTECTED_URLS)
.authenticated()
.and()
.csrf().disable().cors()
.and()
.formLogin().disable()
.httpBasic().disable()
.logout().disable();
http.headers().frameOptions().sameOrigin();
http.headers().contentSecurityPolicy("script-src 'self'");
}
问题是在此配置的最后一行之后开始的:
http.headers().contentSecurityPolicy("script-src 'self'");
如果我们删除这个,招摇就可以了。我们还尝试用“none”代替“self”。我们是否缺少任何注释?请帮忙。
我们还尝试了控制器类注释,如下所示。这也行不通。
@SecurityScheme(name = "bearerToken", type = SecuritySchemeType.HTTP, scheme = "bearer", bearerFormat = "JWT", in = SecuritySchemeIn.HEADER )
和方法注释。
@SecurityRequirement(name = "bearerToken")
我们可以通过将 swaggr UI 依赖项从 1.5 升级到 1.8 来解决这个问题