谢谢马齐乌先生。我在网关的 SecurityConfiguration.java 中的 springSecurityFilterChain 方法中添加了路径匹配器:
.pathMatchers("/services/tajvoteservice/api/landing-page-by-organizations/**").permitAll()
所以我的网关SecurityConfiguration的springSecurityFilterChain方法如下:
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
// @formatter:off
http
.securityMatcher(new NegatedServerWebExchangeMatcher(new OrServerWebExchangeMatcher(
pathMatchers("/app/**", "/i18n/**", "/content/**", "/swagger-ui/**", "/swagger-resources/**", "/v2/api-docs", "/v3/api-docs", "/test/**"),
pathMatchers(HttpMethod.OPTIONS, "/**")
)))
.csrf()
.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
.and()
// See https://github.com/spring-projects/spring-security/issues/5766
.addFilterAt(new CookieCsrfFilter(), SecurityWebFiltersOrder.REACTOR_CONTEXT)
.addFilterAt(new SpaWebFilter(), SecurityWebFiltersOrder.AUTHENTICATION)
.exceptionHandling()
.accessDeniedHandler(problemSupport)
.authenticationEntryPoint(problemSupport)
.and()
.headers()
.contentSecurityPolicy(jHipsterProperties.getSecurity().getContentSecurityPolicy())
.and()
.referrerPolicy(ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
.and()
.featurePolicy("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; fullscreen 'self'; payment 'none'")
.and()
.frameOptions().disable()
.and()
.authorizeExchange()
.pathMatchers("/").permitAll()
.pathMatchers("/*.*").permitAll()
.pathMatchers("/api/auth-info").permitAll()
.pathMatchers("/services/tajvoteservice/api/landing-page-by-organizations/**").permitAll()
.pathMatchers("/api/admin/**").hasAuthority(AuthoritiesConstants.ADMIN)
.pathMatchers("/api/**").authenticated()
.pathMatchers("/services/**").authenticated()
.pathMatchers("/management/health").permitAll()
.pathMatchers("/management/health/**").permitAll()
.pathMatchers("/management/info").permitAll()
.pathMatchers("/management/prometheus").permitAll()
.pathMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN);
http.oauth2Login()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter());
http.oauth2Client();
// WebFlux
http.redirectToHttps(redirect -> redirect
.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")));
// @formatter:on
return http.build();
}
现在我可以运行 CURL 命令:
curl -X 'GET' \
'http://localhost:8080/services/tajvoteservice/api/landing-page-by-organizations/acfad1dd-2570-4900-a5c2-8f496f88527c'
你瞧,我有带有组织信息的 JSON 数据!
再次感谢 Marziou 先生!