1. 配置放行不起作用
@Override protected void configure(HttpSecurity http) throws Exception {
http.cors()
.and().csrf().disable()//csrf针对的是session的攻击,使用jwt就不需要这个保护
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)// 基于token,所以不需要session
.and().authorizeHttpRequests()
.antMatchers(HttpMethod.GET,"/**").permitAll()
.anyRequest().authenticated()
.and()
.addFilter(new JWTLoginFilter(authenticationManager()))
.addFilter(new JWTAuthenticationFilter(authenticationManager()));
}
尽管spring boot建议配置放行在HttpSecurity但是实际还是需要在WebSecurity才起作用
@Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/user/signup"); }
2. 静态资源放行
@Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/index")
.antMatchers(
"/css/**",
"/js/**",
"/index.html",
"/img/**",
"/fonts/**",
"/favicon.ico");
}
可能还需要增加
@Configuration public class WebMvcConfig implements WebMvcConfigurationSupport{ @Override public void addResourceHandler(ResourceHandlerRegistry registry){
registry.addResourceHandler("/static/**").addResourceLocations("classpath:/static/"); }
}