[英]How to add a filter only for one special path WebSecurityConfigurerAdapter
We have a configuration which looks like this: 我们有一个如下所示的配置:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public static final String LOGIN_PATH_EXPRESSION = "/login";
public static final String API_PATH_EXPRESSION = "/api/**/*";
public static final String GLOBAL_PATH_EXPRESSION = "/**/*";
@Autowired
@Qualifier("ssoFilter")
private Filter ssoFilter;
@Autowired
private VerifyingProcessingFilter verifyingProcessingFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.userDetailsService(username -> new User(username, "", Collections.emptyList()))
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(LOGIN_PATH_EXPRESSION)
.authenticated()
.and()
.httpBasic()
.and()
.authenticationProvider(new SimpleAuthenticationProvider())
.authorizeRequests()
.antMatchers(API_PATH_EXPRESSION).authenticated()
.and()
.addFilterBefore(ssoFilter, BasicAuthenticationFilter.class)
.addFilterAfter(verifyingProcessingFilter, FilteredOAuth2AuthenticationProcessingFilter.class)
.authorizeRequests()
.antMatchers(GLOBAL_PATH_EXPRESSION)
.permitAll()
.and()
.csrf()
.disable();
}
And recognized that we end inside of the FilteredOAuth2AuthenticationProcessingFilter
within a /login
call and asked ourself why this is happening. 并且认识到我们在
/login
调用中结束了FilteredOAuth2AuthenticationProcessingFilter
并且问自己为什么会发生这种情况。
The goal is to have the ssoFilter
and the verifyingProcessingFilter
only applied when hitting an endpoint with the path api/**/*
. 目标是仅在使用路径
api/**/*
命中端点时应用ssoFilter
和verifyingProcessingFilter
。
Right now we have to add a AntMatching check inside of the filter so it is only applied to the right request but i assume it should be possible to add it only to the matching requests. 现在我们必须在过滤器内添加一个AntMatching检查,因此它只适用于正确的请求,但我认为应该可以将它只添加到匹配的请求中。
Could someone provide an example on how to add a Filter to one specific Ant Matching path request? 有人可以举例说明如何将Filter添加到一个特定的Ant匹配路径请求中吗?
Looks like you can't do that with a single Configuration class. 看起来你不能用一个Configuration类做到这一点。 Take a look at this question: How to apply spring security filter only on secured endpoints?
看一下这个问题: 如何仅在安全端点上应用Spring安全过滤器? .
。
In this case, I think the better solution is to configure multiple HttpSecurity. 在这种情况下,我认为更好的解决方案是配置多个HttpSecurity。 From Spring IO documentation :
从Spring IO文档 :
We can configure multiple HttpSecurity instances just as we can have multiple blocks.
我们可以配置多个HttpSecurity实例,就像我们可以有多个块一样。 The key is to extend the WebSecurityConfigurationAdapter multiple times.
关键是多次扩展WebSecurityConfigurationAdapter。 For example, the following is an example of having a different configuration for URL's that start with /api/.
例如,以下是具有以/ api /开头的URL的不同配置的示例。
The documentation has a full example with the necessary steps to accomplish this: 该文档有一个完整的示例,其中包含完成此操作所需的步骤:
- Configure Authentication as normal
正常配置身份验证
- Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.
创建包含@Order的WebSecurityConfigurerAdapter实例,以指定应首先考虑哪个WebSecurityConfigurerAdapter。
- The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/
http.antMatcher声明此HttpSecurity仅适用于以/ api /开头的URL
- Create another instance of WebSecurityConfigurerAdapter.
创建WebSecurityConfigurerAdapter的另一个实例。 If the URL does not start with /api/ this configuration will be used.
如果URL不以/ api /开头,则将使用此配置。 This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).
此配置在ApiWebSecurityConfigurationAdapter之后考虑,因为它在1之后具有@Order值(没有@Order默认为last)。
Good luck! 祝好运!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.