首页 文章

spring config server禁止加密

提问于
浏览
3

我已将spring cloud config server配置为使用oAuth2来保证安全性 . 除加密终点外,一切运行良好 . 当我尝试访问 /encrypt 时,我得到403 Forbidden . 我在 Headers 中包含授权承载令牌 . 有没有办法允许在使用oAuth保护服务器时调用加密 endpoints ,或者它是否始终被阻止?如果您想查看此服务器的任何配置文件,请告诉我 .

仅供参考,以下是有效的方法 .

  • 调用 /encrypt/status 产生 {"status":"OK"}

  • 正在拉取git存储库,因为我可以从服务器访问属性文件 .

  • oAuth身份验证正在与Google合作,因为它会引导我完成登录过程 .

这是 spring 安全设置 .

security: 
     require-ssl: true 
     auth2:  
       client:  
         clientId: PROVIDED BY GOOGLE  
         clientSecret: PROVIDED BY GOOGLE  
         accessTokenUri: https://www.googleapis.com/oauth2/v4/token  
         userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth  
         scope:  
            - openid  
            - email  
            - profile  
      resource:  
         userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo  
         preferTokenInfo: true  

    server:  
       port: 8443  
       ssl:  
         key-store-type: PKCS12  
         key-store: /spring-config-server/host/tomcat-keystore.p12  
         key-alias: tomcat  
         key-store-password: ${KEYSTORE_PASSWORD}

这是我从POM文件中的依赖项,因此您可以看到我正在使用的库的版本 .

<parent>  
    <groupId>org.springframework.boot</groupId>  
    <artifactId>spring-boot-starter-parent</artifactId>  
    <version>2.0.0.RELEASE</version>  
    <relativePath/>  
    <!-- lookup parent from repository -->  
</parent>  
<properties>  
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>  
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>  
    <java.version>1.8</java.version>  
    <spring-cloud.version>Finchley.M8</spring-cloud.version>  
</properties>  
<dependencies>  
    <dependency>  
        <groupId>org.springframework.cloud</groupId>  
        <artifactId>spring-cloud-config-server</artifactId>  
    </dependency>  
    <dependency>  
        <groupId>org.springframework.boot</groupId>  
        <artifactId>spring-boot-starter-test</artifactId>  
    </dependency>  
    <dependency>  
        <groupId>org.springframework.cloud</groupId>  
        <artifactId>spring-cloud-security</artifactId>  
    </dependency>  
</dependencies>  
<dependencyManagement>  
    <dependencies>  
        <dependency>  
            <groupId>org.springframework.cloud</groupId>  
            <artifactId>spring-cloud-dependencies</artifactId>  
            <version>${spring-cloud.version}</version>  
            <type>pom</type>  
            <scope>import</scope>  
        </dependency>  
    </dependencies>  
</dependencyManagement>
spring spring-cloud-config

2 回答

  • 0

    我解决了它实现这个WebSecurityConfigurer . 它禁用CSRF并设置基本身份验证 . 在Spring Boot 2.0.0中,您无法使用强制您实现Java安全配置Bean的属性来禁用CSRF .

    package my.package.config.server;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
        .anyRequest().authenticated().and()
        .httpBasic();
;
    }


}

    希望能帮助到你

    回复于
  • 8

    要解决此问题,我需要扩展WebSecurityConfigurerAdapter,并在配置方法中禁用CSRF令牌 .

    http
            .csrf().disable()
            .antMatcher("/**")                
            .authorizeRequests()
            .antMatchers("/", "/login**", "/error**")
            .permitAll()
            .anyRequest().authenticated();
    回复于

相关问题