找不到CSRF代币,也找不到静态资源OAUTH2/授权/l

问题描述 投票:0回答:1
弹簧授权OAuth 2.0服务器http:// auth-server:9000

用户界面(React JS应用程序)

Gateway(又名OAuth 2.0客户端)
    ResourceServer
  1. below是SecurityConfig Resurce的配置-Server
  2. @Configuration @EnableWebSecurity public class SecurityConfig { public interface Jwt2AuthoritiesConverter extends Converter<Jwt, Collection<? extends GrantedAuthority>> { } @Bean Jwt2AuthoritiesConverter authoritiesConverter() { return jwt -> { @SuppressWarnings("unchecked") final Collection<String> roles = (Collection<String>) jwt.getClaims().getOrDefault("roles", List.of()); return roles.stream().map(role -> new SimpleGrantedAuthority(role)).collect(Collectors.toList()); }; } public interface Jwt2AuthenticationConverter extends Converter<Jwt, AbstractAuthenticationToken> { } @Bean Jwt2AuthenticationConverter authenticationConverter(Jwt2AuthoritiesConverter authoritiesConverter) { return jwt -> new JwtAuthenticationToken(jwt, authoritiesConverter.convert(jwt)); } @Bean SecurityFilterChain securityFilterChain(HttpSecurity http, Converter<Jwt, AbstractAuthenticationToken> authenticationConverter) throws Exception { http.oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer .jwt(jwt -> jwt.jwtAuthenticationConverter(authenticationConverter))); http.csrf(csrf -> csrf.disable()); http.securityMatcher("/") .authorizeHttpRequests(authorize -> authorize.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll() .requestMatchers("/lot-games/api/autogen/**").hasRole("ADMIN") .requestMatchers("/lot-games/api/**").permitAll().anyRequest().authenticated()); return http.build(); } }
  3. 我很好地奏效了获取方法,但是一旦使用了帖子方法,我就找不到浏览器的答案,而无法找到预期的CSRF令牌,而且我从日志中理解,这样的答案形成了网关,因为日志(甚至在弹簧式工程:跟踪级别)都是空的,但在网关上
  4. [7A7F852D-5] 标题= {basked} [7A7F852D-5]已完成403 标题= {basked} [7A7F852D-1,L:/127.0.0.1:8072! r:/127.0.0.1:51774] 处理完成

我认为没问题,我只将此代码添加到SecurityConfig网关 - 但是一切都破裂了,我得到了
@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {

    @Bean
    SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        http.csrf(Customizer.withDefaults());
        return http.build();
    }
}

or

@Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.csrf(CsrfSpec::disable).build(); }

但是,但是一切都崩溃了,我遇到了一个错误`

本应用程序没有配置的错误视图,因此您正在看到此
作为后备。星期一3月11日19:54:33 MSK 2024 [1DD5AEB3-6]有一个
意外错误(type =找不到,状态= 404)。没有静态资源
OAuth2/授权/lot-games-client-osterorization-code。
org.springframework.web.reactive.resource.noresourcefoundexception:
404 not_found“没有静态资源
oauth2/授权/lot-games-client-osterorization-code
org.springframework.web.reeactive.resource.Resourcewebhandler.lambda $ whand $ 1(resourcewebhandler.java:431)
被抑制:堆叠已通过反应堆增强,请参阅
下面的其他信息:在
以下网站: *__检查点⇢
org.springframework.cloud.gateway.filter.weightcalculatorwebfilter
[DefaultWebFilterChain] *__检查点⇢logoutwebfilter
[DefaultWebFilterChain] *__检查点⇢serverrequestcachewebfilter
[DefaultWebFilterChain] *__检查点⇢
SecurityContextServerwebexChangeWebFilter [DefaultWeabfilterChain]
*__ checkpoint⇢reactorContextextextwebfilter [defaultwebfilterchain]
*__检查点⇢csrfwebfilter [defaultwebfilterchain] *__检查点
⇢httpheaderwriterwebfilter [defaultwebfilterchain] *__检查点⇢
serverwebexchangereactorcontextwebfilter [defaultwebfilterchain]
*__检查点⇢
org.springframework.security.web.server.webfilterchainproxy
[DefaultWebFilterChain] *__检查点⇢http get
“/oauth2/授权/lot-games-client-oterorization-code”
[exceptionhandlingwebhandler]

你可以帮我吗?
    

当您的
SecurityFilterChain

呼叫不包括

securityMatcher
路径时,就会发生这种情况。在您的情况下,有一条线

/oauth2/**
java spring-cloud-gateway spring-resource-server
1个回答
0
投票
使Spring仅应用其安全配置(以及OAuth One)仅适用于路径。将此行更改为

http.securityMatcher("/")
检查是否有帮助。
    

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.