SpringSecurity+JWT只要是POST请求就403

伪墨 2021-04-22 08:22:20

我已经关闭了跨域保护，但是除了permitAll过滤掉的login相关接口以及get请求之外，所有的post请求都返回：
{
"timestamp": 1619093866976,
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/role/insert"
}

@Configuration

@EnableWebSecurity

public class JWTSecurityConfig extends WebSecurityConfigurerAdapter {



  private final JWTAuthenticationFilter jwtAuthenticationFilter;

  private final JWTAuthenticationProvider jwtAuthenticationProvider;

  private final WebOptionsFilter webOptionsFilter;



  @Autowired

  public JWTSecurityConfig(JWTAuthenticationFilter jwtAuthenticationFilter, JWTAuthenticationProvider jwtAuthenticationProvider, WebOptionsFilter webOptionsFilter) {

    this.jwtAuthenticationFilter = jwtAuthenticationFilter;

    this.jwtAuthenticationProvider = jwtAuthenticationProvider;

    this.webOptionsFilter = webOptionsFilter;

  }



  @Bean

  @Override

  public AuthenticationManager authenticationManagerBean() throws Exception {

    return super.authenticationManagerBean();

  }



  @Override

  public void configure(AuthenticationManagerBuilder auth) {

    auth.authenticationProvider(jwtAuthenticationProvider);

  }



  @Override

  protected void configure(HttpSecurity http) throws Exception {

    http.csrf().disable() //关闭跨域保护

      .httpBasic().disable()

      .formLogin().disable()

      // ReST is stateless, no sessions

      .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)

      .and()

      // return 403 when not authenticated

      .exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint())

      .and()

      //跨域设置

      .cors()

      .configurationSource(corsConfigurationSource());





    // Let child classes set up authorization paths

    http.authorizeRequests()

      .antMatchers("/login", "/login/check", "/login/logout").permitAll()

      //swagger请求允许

      .antMatchers("/v2/api-docs", "/swagger-resources/configuration/ui", "/swagger-resources",

        "/swagger-ui.html", "/webjars/**", "/swagger-resources/configuration/security").permitAll()

      .antMatchers("/actuator", "/actuator/health", "/info", "/error", "/dump", "/metrics",

        "/env", "/refresh", "/trace", "/jolokia/", "/flyway",

        "/liquibase", "/logfile").permitAll()

      .anyRequest().authenticated();



    //在安全验证前添加WebFilter

    http.addFilterBefore(webOptionsFilter, FilterSecurityInterceptor.class);

    http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);

  }



  @Bean

  public CorsConfigurationSource corsConfigurationSource() {

    CorsConfigurationSource source = new UrlBasedCorsConfigurationSource();

    CorsConfiguration corsConfiguration = new CorsConfiguration();

    //同源配置，*表示任何请求都视为同源，若需指定ip和端口可以改为如“localhost：8080”，多个以“，”分隔；

    corsConfiguration.addAllowedOrigin("*");

    //header，允许哪些header,可将*替换为token

    corsConfiguration.addAllowedHeader("*");

    //允许的请求方法，POST、GET等

    corsConfiguration.addAllowedMethod("*");

    corsConfiguration.setAllowCredentials(true);

    //配置允许跨域访问的url

    ((UrlBasedCorsConfigurationSource) source).registerCorsConfiguration("/**", corsConfiguration);

    return source;

  }



}