[英]Exclude requests to URL from being run through Spring Security filters
I have a Spring boot application, and a custom authentication filter.我有一个 Spring Boot 应用程序和一个自定义身份验证过滤器。 The application has a URL "/" where I'd like to avoid having any Spring Security filters being run (both authentication and authorization), including my custom filter.
该应用程序有一个 URL“/”,我希望避免在其中运行任何 Spring Security 过滤器(身份验证和授权),包括我的自定义过滤器。
I do not want to configure WebSecurity
to ignore this URL, as there are some other Spring Security features that I would like to apply, and my understanding is that using:我不想将
WebSecurity
配置为忽略此 URL,因为我想应用其他一些 Spring Security 功能,我的理解是使用:
webSecurityBuilder.ignoring().antMatchers("/");
Would keep all Spring Security features from running on this URL.将阻止所有Spring Security 功能在此 URL 上运行。
Is there a way to use HttpSecurity for this?有没有办法为此使用 HttpSecurity?
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthenticationFilter customAuthFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/").
anonymous().and().authorizeRequests()
.antMatchers("/", "/index.html").permitAll()
.anyRequest().authenticated();
http.addFilterBefore(customAuthFilter, UsernamePasswordAuthenticationFilter.class);
}
This is what I have so far, but for some reason when I navigate to "/" I still hit my custom filter.到目前为止,这就是我所拥有的,但出于某种原因,当我导航到“/”时,我仍然点击了我的自定义过滤器。
The below is solution.下面是解决方法。 The abstract is that you should define two WebSecurityConfigurerAdapter with different order.
摘要是您应该定义两个具有不同顺序的 WebSecurityConfigurerAdapter。 Pls take a try.
请试一试。 solution
解决方案
The below code is copied from there.下面的代码是从那里复制的。
@Configuration
@Order(1)
public class OnlyHeadersConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.antMatchers("/special/endpoints/**")
.authorizeRequests((authz) -> authz.anyRequest().permitAll())
.anonymous();
}
}
@Configuration
@Order(2)
public class MainSecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) {
http
.authorizeRequests(authz -> authz.anyRequest().authenticated())
.addFilterAt(new MyCustomFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.