Home > Back-end >  SpringSecurity JWT as long as it is a POST request is 403
SpringSecurity JWT as long as it is a POST request is 403

Time:04-23

I have closed cross domain protection, but in addition to permitAll filters out the login interface and related get request, all the post request return:
{
"Timestamp" : 1619093866976,
"Status" : 403,
"Error" : "Forbidden",
"Message" : "Access Denied",
"Path" : "/role/insert
"} 

 @ Configuration 
@ EnableWebSecurity 
Public class JWTSecurityConfig extends WebSecurityConfigurerAdapter {

Private final JWTAuthenticationFilter JWTAuthenticationFilter; 
Private final JWTAuthenticationProvider JWTAuthenticationProvider; 
Private final WebOptionsFilter WebOptionsFilter; 

The @autowired 
Public JWTSecurityConfig (JWTAuthenticationFilter JWTAuthenticationFilter, JWTAuthenticationProvider JWTAuthenticationProvider, WebOptionsFilter WebOptionsFilter) {
Enclosing jwtAuthenticationFilter=jwtAuthenticationFilter; 
Enclosing jwtAuthenticationProvider=jwtAuthenticationProvider; 
Enclosing webOptionsFilter=webOptionsFilter; 
} 

@ Bean 
@ Override 
Public the AuthenticationManager authenticationManagerBean () throws the Exception {
Return super. AuthenticationManagerBean (); 
} 

@ Override 
Public void the configure (AuthenticationManagerBuilder auth) {
Auth. AuthenticationProvider (jwtAuthenticationProvider); 
} 

@ Override 
Protected void the configure (HTTP) HttpSecurity throws the Exception {
HTTP. CSRF (). The disable ()//off cross-domain protection 
HttpBasic (). The disable () 
FormLogin (). The disable () 
//ReST is stateless, no sessions 
SessionManagement (.) sessionCreationPolicy (sessionCreationPolicy STATELESS) 
And () 
//return 403 when not authenticated 
ExceptionHandling (.) authenticationEntryPoint (new Http403ForbiddenEntryPoint ()) 
And () 
//cross domain Settings 
Cors () 
ConfigurationSource (corsConfigurationSource ()); 


//Let the child classes set up authorization paths 
HTTP. AuthorizeRequests () 
AntMatchers ("/login ", "/login/check", "/login/logout"). The permitAll () 
//swagger request permission 
AntMatchers ("/v2/API docs - ", "/swagger - resources/configuration/UI", "/swagger - resources," 
"/swagger - UI. HTML", "/webjars/* *", "/swagger - resources/configuration/security"). The permitAll () 
AntMatchers ("/physical ", "/physical/health", "/info", "/error", "/dump", "/metrics," 
"/env/"," refresh ", "/trace", "/jolokia/","/flyway, "
"/liquibase", "/logfile"). PermitAll () 
AnyRequest (). Authenticated (); 

//in front of the security verification add WebFilter 
HTTP. AddFilterBefore (webOptionsFilter, FilterSecurityInterceptor. Class); 
HTTP. AddFilterBefore (jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter. Class); 
} 

@ Bean 
Public CorsConfigurationSource CorsConfigurationSource () {
CorsConfigurationSource source=new UrlBasedCorsConfigurationSource (); 
CorsConfiguration CorsConfiguration=new CorsConfiguration (); 
//the same configuration, * said any request as a homologous, if need to specify the IP and port can be changed as "localhost: 8080," multiple ", "space; 
CorsConfiguration. AddAllowedOrigin (" * "); 
//headers, which allows the header, * can be swapped for a token 
CorsConfiguration. AddAllowedHeader (" * "); 
//allow the request method POST, GET, etc. 
CorsConfiguration. AddAllowedMethod (" * "); 
CorsConfiguration. SetAllowCredentials (true); 
//configuration allows cross-domain access url 
((UrlBasedCorsConfigurationSource) source). RegisterCorsConfiguration ("/* *, "corsConfiguration); 
return source; 
} 

}

Page link:https//www.codepudding.com/Backend/108941.html

Prev:Logstash to es to write data
Next:Java novices
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding