时间戳

首页 > 解决方案 > SpringSecurity:仅针对特定 URL 注册过滤器

java - SpringSecurity:仅针对特定 URL 注册过滤器

问题描述

我正在为我的应用程序使用 WebSecurityConfigurerAdapter,它使用 jwt 进行身份验证并且一切正常(第一个代码片段);我现在要做的是为特定的 URL 模式添加另一个过滤器,但现在无论如何都会调用这个过滤器(第二个代码片段)。有人请解释我做错了什么?

这是我的代码:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors()
            .and().csrf().disable().httpBasic().disable()
                .authorizeRequests()
                .antMatchers("/auth").permitAll()
                .antMatchers("/v2/api-docs",
                        "/swagger-resources/**",
                        "/configuration/**",
                        "/swagger-ui.html",
                        "/webjars/**").permitAll()
                .antMatchers(
                        "/",
                        "/refreshconfig",
                        "/launchGameForFun/**",
                        "/*.html",
                        "/*.gif",
                        "/favicon.ico",
                        "/**/*.html",
                        "/**/*.gif",
                        "/**/*.css",
                        "/**/*.js").permitAll()
                .anyRequest().authenticated()
            .and()      
                .exceptionHandling().authenticationEntryPoint(new CustomAuthenticationEntryPoint())
            .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
                .addFilterBefore(new Slf4jMDCFilter(), JwtAuthorizationFilter.class)
                .addFilter(new JwtAuthorizationFilter(authenticationManager()));
    }

在上面添加此代码无法按预期工作:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors()
            .and().csrf().disable().httpBasic().disable()
                .authorizeRequests()
                .antMatchers("/auth").permitAll()
                .antMatchers("/v2/api-docs",
                        "/swagger-resources/**",
                        "/configuration/**",
                        "/swagger-ui.html",
                        "/webjars/**").permitAll()
                .antMatchers(
                        "/",
                        "/refreshconfig",
                        "/launchGameForFun/**",
                        "/*.html",
                        "/*.gif",
                        "/favicon.ico",
                        "/**/*.html",
                        "/**/*.gif",
                        "/**/*.css",
                        "/**/*.js").permitAll()
                .anyRequest().authenticated()
            .and()      
                .exceptionHandling().authenticationEntryPoint(new CustomAuthenticationEntryPoint())
            .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
                .addFilterBefore(new Slf4jMDCFilter(), JwtAuthorizationFilter.class)
                .addFilter(new JwtAuthorizationFilter(authenticationManager()))
            .antMatcher("/*/*wager")
                .addFilterAfter(new MultiReadServletFilter(), JwtAuthorizationFilter.class)
                .addFilterAfter(new XauthFilter(), MultiReadServletFilter.class);
    }

更清楚地说:我希望为每个 URL(/*/*wager包括)调用 Slf4jMDCFilter 和 JwtAuthorizationFilter,并且只为 调用 MultiReadServletFilter 和 XauthFilter /*/*wager。显然 permitAll URL 在这两种情况下都被排除在外。

标签: javaspringspring-bootfilterspring-security

解决方案

推荐阅读