Spring boot：如何跳过特定端点的基本身份验证

Question

我尝试了很多方法，但是当我点击 /healthCheck URL 时，它会提示输入用户名和密码。 我在 EmailsecurityAdapter.java 类中有以下代码

import com.cellpointmobile.email.services.AuthenticationService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class EmailSecurityAdapter extends WebSecurityConfigurerAdapter {

    @Autowired
    AuthenticationService userDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
        auth.authenticationProvider(authenticationProvider());
    }


@Override
public void configure(WebSecurity web) throws Exception {
    web
            .ignoring()
            .antMatchers("/healthCheck**");
}


@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "**/heathCheck/*").permitAll()
            .anyRequest()
            .access("isFullyAuthenticated() and hasAnyRole('ROLE_ADMIN','ROLE_USER')")
            .and()
            .httpBasic();
}

    @Bean
    public PasswordEncoder passwordEncoder() {
        //https://www.browserling.com/tools/bcrypt
        return new BCryptPasswordEncoder();
    }

    @Bean
    public DaoAuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        authenticationProvider.setUserDetailsService(userDetailsService);
        authenticationProvider.setPasswordEncoder(passwordEncoder());
        return authenticationProvider;
    }
}

我应该在 configure() 方法中更改什么以公开访问 healthCheck url？

邮递员回复 GET http://127.0.0.1:8080/heathCheck

<Map>
    <timestamp>2019-09-13</timestamp>
    <status>401</status>
    <error>Unauthorized</error>
    <message>Unauthorized</message>
    <path>/heathCheck</path>
</Map>

Answer 1

使用

@Override
protected void configure(HttpSecurity http) throws Exception {
        http
        .csrf().disable()
        .authorizeRequests()
        .antMatchers(HttpMethod.GET, "**/heathCheck/**").permitAll()
        .anyRequest()
        .access("isFullyAuthenticated() and hasAnyRole('ROLE_ADMIN','ROLE_USER')")
        .and()
        .httpBasic();
}

或在 configure(WebSecurity web) 中使用 web.ignoring()，这将忽略所有使用它指定的端点的安全过滤器。之后，您可以将其从configure(HttpSecurity http) 中删除，并将configure(WebSecurity web) 保留在configure(HttpSecurity http) 之上。

HttpSecurity vs WebSecurity

 @Override
    public void configure(WebSecurity web) throws Exception {
        web
          .ignoring()
            .antMatchers(HttpMethod.yourMethod, "**/heathCheck/**");
    }

---

更新：

@Override
        public void configure(WebSecurity web) throws Exception {
            web
              .ignoring()
                .antMatchers(HttpMethod.yourMethod, "**/heathCheck/**");
        }

@Override
protected void configure(HttpSecurity http) throws Exception {
            http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "**/heathCheck/*").permitAll()
            .anyRequest()
            .access("isFullyAuthenticated() and hasAnyRole('ROLE_ADMIN','ROLE_USER')");
}