Spring Security 在自定义过滤器上排除 URL [英] Spring Security exclude URL on custom filter
问题描述
@SuppressWarnings("SpringJavaAutowiringInspection")@配置@启用网络安全公共类 WebSecurityConfig 扩展了 WebSecurityConfigurerAdapter {@自动连线私有 JwtAuthenticationEntryPoint 未授权处理程序;@自动连线私有 UserDetailsService userDetailsService;@自动连线public void configureAuthentication(AuthenticationManagerBuilderauthenticationManagerBuilder) 抛出异常 {authenticationManagerBuilder.userDetailsService(userDetailsService);}@豆角,扁豆公共 JwtAuthenticationTokenFilter authenticationTokenFilterBean() 抛出异常 {返回新的 JwtAuthenticationTokenFilter();}@覆盖protected void configure(HttpSecurity httpSecurity) 抛出异常 {http安全.csrf().disable().异常处理().authenticationEntryPoint(unauthorizedHandler).和().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).和().authorizeRequests().antMatchers("/test").permitAll().antMatchers("/api/**").permitAll().anyRequest().authenticated();httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);}}
我有一个在 Spring Security 之前运行的自定义过滤器.我希望能够从过滤器和 Spring Security 中排除一些 URL(如 /test
)和其他要拦截的 URL(如 /api/**
).
当使用 postman 测试 localhost/test
时,它仍然通过过滤器,即使我有 antMatchers("/test").permitAll()
.
如何绕过过滤器?
您可以禁用某些 URL 的 Spring Security 过滤器链,请参阅 WebSecurity#ignoring
:
允许添加 Spring Security 应该忽略的 RequestMatcher
实例.Spring Security 提供的 Web Security(包括 SecurityContext
)在匹配的 HttpServletRequest
上将不可用.通常,注册的请求应该只是静态资源的请求.对于动态请求,请考虑将请求映射为允许所有用户.
示例用法:
webSecurityBuilder.ignoring()//忽略所有以/resources/或/static/开头的 URL.antMatchers("/resources/**", "/static/**");
因此,您可以覆盖 WebSecurityConfigurerAdapter#configure
:><块引用>
覆盖此方法以配置WebSecurity
.例如,如果您希望忽略某些请求.
要忽略路径 /test
,您必须在配置中添加以下方法:
public void configure (WebSecurity web)网络安全生成器.忽略().antMatchers("/test");}
@SuppressWarnings("SpringJavaAutowiringInspection")
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
public void configureAuthentication(AuthenticationManagerBuilder
authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder.userDetailsService(userDetailsService);
}
@Bean
public JwtAuthenticationTokenFilter authenticationTokenFilterBean() throws Exception {
return new JwtAuthenticationTokenFilter();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.csrf().disable()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/test").permitAll()
.antMatchers("/api/**").permitAll()
.anyRequest().authenticated();
httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
}
}
I have a custom filter that runs before Spring Security. I want to be able to exclude some URLs (like /test
) from the filter and Spring Security and others to be intercepted (like /api/**
).
When using postman to test localhost/test
it still goes through the filter even though I have antMatchers("/test").permitAll()
.
How do I bypass the filter?
You can disable the Spring Security filter chain for some URLs, see WebSecurity#ignoring
:
Allows adding
RequestMatcher
instances that should that Spring Security should ignore. Web Security provided by Spring Security (including theSecurityContext
) will not be available onHttpServletRequest
that match. Typically the requests that are registered should be that of only static resources. For requests that are dynamic, consider mapping the request to allow all users instead.Example Usage:
webSecurityBuilder.ignoring() // ignore all URLs that start with /resources/ or /static/ .antMatchers("/resources/**", "/static/**");
Therefore, you can override WebSecurityConfigurerAdapter#configure
:
Override this method to configure
WebSecurity
. For example, if you wish to ignore certain requests.
To ignore path /test
you have to add following method to your configuration:
public void configure(WebSecurity web)
webSecurityBuilder
.ignoring()
.antMatchers("/test");
}
这篇关于Spring Security 在自定义过滤器上排除 URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!