When we integrated Spring Security with OAuth2, we found that there are business requests that need to be open when visitors are not identified for a variety of reasons (e.g. The ApiBoot interface should be open when a new user is registered. The ApiBoot interface should be open when a new user is registered.
Official related documents
For the official usage documentation for ApiBoot Security, visit ApiBoot Security.
In section 4. Default Excluded paths, we learned that ApiBoot Security has added some default intercept paths internally for integration with other third party frameworks. When we add open paths, we add them incrementally from the default without overwriting them.
Blog address: blog.yuqiyu.com/apiboot-sec…
Create a project
We use the IDEA development tool to create a SpringBoot project and add related dependencies to pom.xml, as shown below:
<dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <! ApiBoot Security OAuth --> <dependency> <groupId>org.minbox.framework</groupId> <artifactId>api-boot-starter-security-oauth-jwt</artifactId> </dependency> </dependencies> <dependencyManagement> <dependencies> <! --> <dependency> <groupId>org.minbox.framework</groupId> <artifactId> <version> 2.2.2. RELEASE</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement>Copy the code
Excluded Path Configuration
ApiBoot Security OAuth The default interception configuration of the Security component is/API /**, that is, all paths and subpaths under/API need to be authenticated before they can be accessed.
We can through the API. The boot. Security. The auth – prefix parameter configuration changes to protect the path to the list, ApiBoot also provides another parameter configuration API. The boot. Security. Ignoring – urls, It is used to configure the list of open paths (open paths can be directly accessed without permission interception). Ant style is supported. The configuration content of application.yml is as follows:
spring: application: name: apiboot-security-open-paths-without-intercept server: port: 9090 api: boot: No action is required. /** no action is required. /** no action is requiredCopy the code
In our application. Yml file within the configuration API. The boot. Security. Ignoring the value of urls for/index / * *, then we visit/index, index/XXX path will not after permission of interception, direct access to.
The sample request
Let’s create a sample controller named IndexController to verify that our open path is in effect, as shown below:
/** * Example: Controller ** @author */ @restController @requestMapping (value = "/index") Public Class IndexController {/** * example: */ index * * @return */ @getMapping public String index() {return "this is index page. } /** * Example: */ index/sub * * @return */ @getMapping (value = "/sub") public String indexSub() {return "This is sub index page."; }}Copy the code
In application. Yml, we set the open address as /index/**, so the two addresses /index and /index/sub in IndexController will be opened.
Run the test
We use IDEA through the XxxApplication entry class to start this chapter project source code, the following is the test point we want to verify.
Test point: Open path
Let’s visit the http://localhost:9090/index, the effect is as follows:
➜ ~ curl http://localhost:9090/index this is the index page.Copy the code
Direct access to /index directly fetches the content returned by the interface, proving that the address is open and no longer blocked by permissions.
ApiBoot Security OAuth open address support Ant style, we set the open address to /index/**, so /index/sub should also be open, the effect is as follows:
➜ ~ curl http://localhost:9090/index/sub
this is sub index page.Copy the code
If we modify the API. The boot. Security. Ignoring – urls configured for/index, when we visit this address/index/sub has no authority, need to carry effective AccessToken can access to.
Test point: Interception of an open path
Let’s do a special test point, which accesses a path that is not defined behind the scenes as follows:
➜ ~ curl http://localhost:9090/index/11 {" error ":" unauthorized ", "error_description" : "Full authentication is required to access this resource"}Copy the code
We did not add an implementation of /index/xx as the request address will also be blocked when accessing it, which proves that our request will be blocked before it reaches the resolution request.
Type on the blackboard and underline
All open paths need to provide valid AccessToken, regardless of whether the address exists or not. In this chapter, for example, I have configured the permission blocking root address as /**, and the source of the api.boot.security.auth-paths parameter is an array (see: . Org. Minbox. Framework apis. The boot. Autoconfigure. Security. ApiBootSecurityProperties), you can configure multiple addresses, such as: / user / * *, * *, / order/API. The boot. Security. Ignoring – multiple urls also supports an array configuration.
Free Tutorials
Heng Yu teenager in the blog organized three sets of free learning tutorial topics, because the article is more deliberately added to the reading guide, the new article and the previous article will be filled in the topic, I hope to help you solve more knowledge points.
- SpringBoot Basics tutorial features
- SpringCloud foundation tutorial feature
- ApiBoot Basic tutorial topics
Code sample
If you like this article please click Star for source repository, thanks!! The source code for this article can be obtained in the following directory: apiboot-security-open-paths-without-intercept
- Gitee:Gitee.com/minbox-proj…
Author’s Personal blog
Use the open source framework ApiBoot to help you become an Api service architect