Spring Security 在自定义过滤器上排除 URL [英] Spring Security exclude URL on custom filter

问题描述

@SuppressWarnings("SpringJavaAutowiringInspection")@配置@启用网络安全公共类 WebSecurityConfig 扩展了 WebSecurityConfigurerAdapter {@自动连线私有 JwtAuthenticationEntryPoint 未授权处理程序；@自动连线私有 UserDetailsS​​ervice userDetailsS​​ervice;@自动连线public void configureAuthentication(AuthenticationManagerBuilderauthenticationManagerBuilder) 抛出异常 {authenticationManagerBuilder.userDetailsS​​ervice(userDetailsS​​ervice);}@豆角，扁豆公共 JwtAuthenticationTokenFilter authenticationTokenFilterBean() 抛出异常 {返回新的 JwtAuthenticationTokenFilter();}@覆盖protected void configure(HttpSecurity httpSecurity) 抛出异常 {http安全.csrf().disable().异常处理().authenticationEntryPoint(unauthorizedHandler).和().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).和().authorizeRequests().antMatchers("/test").permitAll().antMatchers("/api/**").permitAll().anyRequest().authenticated();httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);}}

我有一个在 Spring Security 之前运行的自定义过滤器.我希望能够从过滤器和 Spring Security 中排除一些 URL(如 /test)和其他要拦截的 URL(如 /api/**).

当使用 postman 测试 localhost/test 时，它仍然通过过滤器，即使我有 antMatchers("/test").permitAll().

如何绕过过滤器?

解决方案

您可以禁用某些 URL 的 Spring Security 过滤器链，请参阅 WebSecurity#ignoring:

<块引用>

允许添加 Spring Security 应该忽略的 RequestMatcher 实例.Spring Security 提供的 Web Security(包括 SecurityContext)在匹配的 HttpServletRequest 上将不可用.通常，注册的请求应该只是静态资源的请求.对于动态请求，请考虑将请求映射为允许所有用户.

示例用法:

webSecurityBuilder.ignoring()//忽略所有以/resources/或/static/开头的 URL.antMatchers("/resources/**", "/static/**");

因此，您可以覆盖 WebSecurityConfigurerAdapter#configure:><块引用>

覆盖此方法以配置WebSecurity.例如，如果您希望忽略某些请求.

要忽略路径 /test，您必须在配置中添加以下方法:

public void configure (WebSecurity web)网络安全生成器.忽略().antMatchers("/test");}

@SuppressWarnings("SpringJavaAutowiringInspection")
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

   @Autowired
   private JwtAuthenticationEntryPoint unauthorizedHandler;

   @Autowired
   private UserDetailsService userDetailsService;

   @Autowired
   public void configureAuthentication(AuthenticationManagerBuilder
      authenticationManagerBuilder) throws Exception {
      authenticationManagerBuilder.userDetailsService(userDetailsService);
   }

   @Bean
   public JwtAuthenticationTokenFilter authenticationTokenFilterBean() throws Exception {
      return new JwtAuthenticationTokenFilter();
   }

   @Override
   protected void configure(HttpSecurity httpSecurity) throws Exception {
      httpSecurity
         .csrf().disable()
         .exceptionHandling()
             .authenticationEntryPoint(unauthorizedHandler)
             .and()
         .sessionManagement()
             .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
             .and()
         .authorizeRequests()
             .antMatchers("/test").permitAll()
             .antMatchers("/api/**").permitAll()
             .anyRequest().authenticated();

      httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
   }
}

I have a custom filter that runs before Spring Security. I want to be able to exclude some URLs (like /test) from the filter and Spring Security and others to be intercepted (like /api/**).

When using postman to test localhost/test it still goes through the filter even though I have antMatchers("/test").permitAll().

How do I bypass the filter?

解决方案

You can disable the Spring Security filter chain for some URLs, see WebSecurity#ignoring:

Allows adding RequestMatcher instances that should that Spring Security should ignore. Web Security provided by Spring Security (including the SecurityContext) will not be available on HttpServletRequest that match. Typically the requests that are registered should be that of only static resources. For requests that are dynamic, consider mapping the request to allow all users instead.

Example Usage:

webSecurityBuilder.ignoring()
// ignore all URLs that start with /resources/ or /static/
               .antMatchers("/resources/**", "/static/**");

Therefore, you can override WebSecurityConfigurerAdapter#configure:

Override this method to configure WebSecurity. For example, if you wish to ignore certain requests.

To ignore path /test you have to add following method to your configuration:

public void configure​(WebSecurity web)
    webSecurityBuilder
        .ignoring()
            .antMatchers("/test");
}

这篇关于Spring Security 在自定义过滤器上排除 URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！