spring-security - Spring Security 在自定义过滤器上排除 URL

标签 spring-security 

@SuppressWarnings("SpringJavaAutowiringInspection")
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

   @Autowired
   private JwtAuthenticationEntryPoint unauthorizedHandler;

   @Autowired
   private UserDetailsService userDetailsService;

   @Autowired
   public void configureAuthentication(AuthenticationManagerBuilder
      authenticationManagerBuilder) throws Exception {
      authenticationManagerBuilder.userDetailsService(userDetailsService);
   }

   @Bean
   public JwtAuthenticationTokenFilter authenticationTokenFilterBean() throws Exception {
      return new JwtAuthenticationTokenFilter();
   }

   @Override
   protected void configure(HttpSecurity httpSecurity) throws Exception {
      httpSecurity
         .csrf().disable()
         .exceptionHandling()
             .authenticationEntryPoint(unauthorizedHandler)
             .and()
         .sessionManagement()
             .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
             .and()
         .authorizeRequests()
             .antMatchers("/test").permitAll()
             .antMatchers("/api/**").permitAll()
             .anyRequest().authenticated();

      httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
   }
}

我有一个在 Spring Security 之前运行的自定义过滤器。我希望能够从过滤器和 Spring Security 中排除一些 URL(如 /test )和其他要拦截的 URL(如 /api/** )。

使用postman测试时localhost/test即使我有 antMatchers("/test").permitAll() 它仍然通过过滤器.

如何绕过过滤器?

最佳答案

您可以禁用某些 URL 的 Spring Security 过滤器链,请参阅 WebSecurity#ignoring :

Allows adding RequestMatcher instances that should that Spring Security should ignore. Web Security provided by Spring Security (including the SecurityContext) will not be available on HttpServletRequest that match. Typically the requests that are registered should be that of only static resources. For requests that are dynamic, consider mapping the request to allow all users instead.

Example Usage:

webSecurityBuilder.ignoring()
// ignore all URLs that start with /resources/ or /static/
               .antMatchers("/resources/**", "/static/**");

因此,您可以覆盖 WebSecurityConfigurerAdapter#configure :

Override this method to configure WebSecurity. For example, if you wish to ignore certain requests.


忽略路径 /test您必须在配置中添加以下方法:
public void configure​(WebSecurity web)
    webSecurityBuilder
        .ignoring()
            .antMatchers("/test");
}

关于spring-security - Spring Security 在自定义过滤器上排除 URL,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/40475620/

上一篇:apache - 使用httpd.conf的www重定向到非www的301语法

下一篇:ruby-on-rails - 计算 Rails 中的查询数量

相关文章:

java - spring security ldap隐藏密码属性

java - Spring Boot OAuth 字符转义

java - 无效的记住我 token (系列/ token )不匹配。暗示之前的 cookie 盗窃攻击

spring - 如何使用Spring Security Core和Grails处理登录

java - Spring 安全 : Different authentication methods depending on entity

java - Spring REST security - 以不同方式保护不同的 URL

spring-security - Spring Security 中 Microsoft Graph OAuth2 身份验证的配置 - 错误 AADSTS90014

grails - 无法使用CAS和Spring Security登录到应用程序

java - 是否有可能根据 URL 同时为同一个 Web 应用程序使用一种方式和相互 SSL

java - IBM WebSphere 8.5.5.8(Liberty) + Spring Security 3.1.3.RELEASE

©2024 IT工具网  联系我们