Как удалить preauthorize в моем забытом пароле API?

Я реализую Spring oauth2 в моем проекте. Все другие URL-адреса предварительно авторизованы, я не реализовал preauthorize для забытого пароля, но все еще получаю сообщение об ошибке при попытке получить доступ к URL забытого пароля.

я пытался получить доступ

http://localhost:8080/samsapi/api/forgotpassword/emailidofuser/

Выдает ошибку вроде

{
    "error": "unauthorized",
    "error_description": "An Authentication object was not found in the SecurityContext"
}

web.xml который используется в моем проекте

<web-app id="WebApp_ID" version="2.4"
    xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
    http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

    <display-name>Spring Web MVC Application</display-name>

    <servlet>
        <servlet-name>mvc-dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>mvc-dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/mvc-dispatcher-servlet.xml,
        /WEB-INF/spring-security.xml, /WEB-INF/db-configuration.xml</param-value>
    </context-param>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <!-- Spring Security -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>
              org.springframework.web.filter.DelegatingFilterProxy
                </filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

</web-app>

Моя конфигурация безопасности oauth2:

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
   xmlns:sec="http://www.springframework.org/schema/security"
   xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
      xmlns="http://www.springframework.org/schema/security">
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
    <anonymous enabled="false"/>
    <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
    <!-- include this only if you need to authenticate clients via request parameters -->
    <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
    <access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>

<!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling
   separately. This isn't mandatory, but it makes it easier to control the behaviour. -->
<http pattern="/api/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
      access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
    <anonymous enabled="false"/>
    <intercept-url pattern="/api/**" access="ROLE_USER"/>
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
    <access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>
<sec:http pattern="/forgotpassword/" security="none"></sec:http>
<bean id="oauthAuthenticationEntryPoint"
      class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="rest_api"/>
</bean>

Исходный код для забытого пароля я использую:

public boolean forgotPassword(String eamilId){

     User userDetails=commnRepo.getUserByEmailId(eamilId);
     if(userDetails!=null){
         String newPassword=SamsUtils.generatePassword();
                    userDetails.setPassword(SamsUtils.encrypt(newPassword));
         emailSender.crunchifyReadyToSendEmail(eamilId, "noreply@clisams.in", "Reset Password", "Hi "+userDetails.getFirstName()+", Your new password is "+newPassword);
        return commnRepo.updateNewPassword(userDetails);
      } else {
          return false;
      }

Исходный код для обновления пароля в базе данных:

public boolean updateNewPassword(User user){
    boolean flag=false;
    Session session=sessionH.openSession();
    try {

       Transaction tran=session.getTransaction();
       tran.begin();
       session.update(user);
       tran.commit();
       session.close();
       flag=true;
    } catch(Exception e) {
       e.printStackTrace();
       session.close();
    }                           
    return flag;
}
Источник

1 ответ

Вы, вероятно, просто пропустили две звездочки (**) Вот:

<sec:http pattern="/forgotpassword/**" security="none"></sec:http>
Источник
Другие вопросы по тегам