spring config server禁止加密

Question

我已经配置了一个spring cloud配置服务器来使用oAuth2来提高安全性.除加密终点外,一切运行良好.当我尝试访问时,/encrypt我得到403 Forbidden.我在标题中包含授权承载令牌.有没有办法允许在使用oAuth保护服务器时调用加密端点,或者它是否始终被阻止？如果您想查看此服务器的任何配置文件,请告诉我.

仅供参考,以下是有效的方法.

• 呼叫/encrypt/status产生{"status":"OK"}
• 正在拉取git存储库,因为我可以从服务器访问属性文件.

• oAuth身份验证正在与Google合作,因为它会引导我完成登录过程.

  这是弹簧安全设置.

    security: 
     require-ssl: true 
     auth2:  
       client:  
         clientId: PROVIDED BY GOOGLE  
         clientSecret: PROVIDED BY GOOGLE  
         accessTokenUri: https://www.googleapis.com/oauth2/v4/token  
         userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth  
         scope:  
            - openid  
            - email  
            - profile  
      resource:  
         userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo  
         preferTokenInfo: true  

    server:  
       port: 8443  
       ssl:  
         key-store-type: PKCS12  
         key-store: /spring-config-server/host/tomcat-keystore.p12  
         key-alias: tomcat  
         key-store-password: ${KEYSTORE_PASSWORD}

这是我从POM文件中的依赖项,因此您可以看到我正在使用的库的版本.

<parent>  
    <groupId>org.springframework.boot</groupId>  
    <artifactId>spring-boot-starter-parent</artifactId>  
    <version>2.0.0.RELEASE</version>  
    <relativePath/>  
    <!-- lookup parent from repository -->  
</parent>  
<properties>  
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>  
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>  
    <java.version>1.8</java.version>  
    <spring-cloud.version>Finchley.M8</spring-cloud.version>  
</properties>  
<dependencies>  
    <dependency>  
        <groupId>org.springframework.cloud</groupId>  
        <artifactId>spring-cloud-config-server</artifactId>  
    </dependency>  
    <dependency>  
        <groupId>org.springframework.boot</groupId>  
        <artifactId>spring-boot-starter-test</artifactId>  
    </dependency>  
    <dependency>  
        <groupId>org.springframework.cloud</groupId>  
        <artifactId>spring-cloud-security</artifactId>  
    </dependency>  
</dependencies>  
<dependencyManagement>  
    <dependencies>  
        <dependency>  
            <groupId>org.springframework.cloud</groupId>  
            <artifactId>spring-cloud-dependencies</artifactId>  
            <version>${spring-cloud.version}</version>  
            <type>pom</type>  
            <scope>import</scope>  
        </dependency>  
    </dependencies>  
</dependencyManagement>  

Answer 1

我解决了它实现这个WebSecurityConfigurer.它禁用CSRF并设置基本身份验证.在Spring Boot 2.0.0中,您无法使用强制您实现Java安全配置Bean的属性来禁用CSRF.

package my.package.config.server;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
        .anyRequest().authenticated().and()
        .httpBasic();
;
    }


}

希望能帮助到你