如何仅为一个特殊路径WebSecurityConfigurerAdapter添加过滤器 [英] How to add a filter only for one special path WebSecurityConfigurerAdapter
问题描述
我们的配置如下所示:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public static final String LOGIN_PATH_EXPRESSION = "/login";
public static final String API_PATH_EXPRESSION = "/api/**/*";
public static final String GLOBAL_PATH_EXPRESSION = "/**/*";
@Autowired
@Qualifier("ssoFilter")
private Filter ssoFilter;
@Autowired
private VerifyingProcessingFilter verifyingProcessingFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.userDetailsService(username -> new User(username, "", Collections.emptyList()))
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(LOGIN_PATH_EXPRESSION)
.authenticated()
.and()
.httpBasic()
.and()
.authenticationProvider(new SimpleAuthenticationProvider())
.authorizeRequests()
.antMatchers(API_PATH_EXPRESSION).authenticated()
.and()
.addFilterBefore(ssoFilter, BasicAuthenticationFilter.class)
.addFilterAfter(verifyingProcessingFilter, FilteredOAuth2AuthenticationProcessingFilter.class)
.authorizeRequests()
.antMatchers(GLOBAL_PATH_EXPRESSION)
.permitAll()
.and()
.csrf()
.disable();
}
并认识到我们在 FilteredOAuth2AuthenticationProcessingFilter 在 / login 调用内并询问自己为何会发生这种情况。
And recognized that we end inside of the FilteredOAuth2AuthenticationProcessingFilter within a /logincall and asked ourself why this is happening.
目标是让 ssoFilter 和 verifyingProcessingFilter 仅在使用路径 api / ** / * 命中端点时应用。
The goal is to have the ssoFilter and the verifyingProcessingFilter only applied when hitting an endpoint with the path api/**/*.
现在我们必须在过滤器内添加一个AntMatching检查,这样它才会应用于正确的请求,但我认为它应该可以只添加到匹配请求。
Right now we have to add a AntMatching check inside of the filter so it is only applied to the right request but i assume it should be possible to add it only to the matching requests.
有人可以举例说明如何将Filter添加到一个特定的Ant匹配路径请求吗?
Could someone provide an example on how to add a Filter to one specific Ant Matching path request?
推荐答案
看起来你不能用一个Configuration类做到这一点。看看这个问题:如何应用弹簧安全仅在安全端点上过滤?。
Looks like you can't do that with a single Configuration class. Take a look at this question: How to apply spring security filter only on secured endpoints?.
在这种情况下,我认为更好的解决方案是配置多个HttpSecurity。来自 Spring IO文档:
In this case, I think the better solution is to configure multiple HttpSecurity. From Spring IO documentation:
我们可以配置多个HttpSecurity实例,就像我们可以拥有
多个块一样。关键是多次扩展
WebSecurityConfigurationAdapter。例如,以下
是一个示例,其中包含以$ ap $ /开头的URL
的不同配置。
We can configure multiple HttpSecurity instances just as we can have multiple blocks. The key is to extend the WebSecurityConfigurationAdapter multiple times. For example, the following is an example of having a different configuration for URL’s that start with /api/.
该文档有一个完整的示例,其中包含完成此操作所需的步骤:
The documentation has a full example with the necessary steps to accomplish this:
- 将身份验证配置为正常
- 创建一个包含
@Order的WebSecurityConfigurerAdapter实例,以指定首先考虑哪个WebSecurityConfigurerAdapter
。 - http .antMatcher声明此HttpSecurity
仅适用于以/ api / 开头的URL - 创建另一个WebSecurityConfigurerAdapter实例。如果URL不以/ api /开头,则将使用此配置。这个
配置是在ApiWebSecurityConfigurationAdapter
之后考虑的,因为它在1之后有一个@Order值(没有@Order默认为最后一个)。
- Configure Authentication as normal
- Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.
- The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/
- Create another instance of WebSecurityConfigurerAdapter. If the URL does not start with /api/ this configuration will be used. This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).
祝你好运!
这篇关于如何仅为一个特殊路径WebSecurityConfigurerAdapter添加过滤器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
