根据调用的方法，在 Spring REST API 中应用身份验证过滤器

Question

We have a REST API built on Spring boot, with some public methods and some private methods.

We implemented an AbstractAuthenticationProcessingFilter to handle a JWT authentication, and everything works fine.

However, we would like to apply this filter only on the private methods, as the public ones do not need any authentication done. Problem is the urls can't be used to separate public and private methods (ie /account/get/{id} is public, but /account/personal/{id} is private, with no common pattern between all private or all public urls).

It seems the HttpSecurity only allows us to use the urls to apply filters, when we would prefer to apply the authentication filter only when a method with @PreAuthorize is called.

The only way we imagine for doing it is to use reflections and, during the web security configuration, discover at runtime all methods with @PreAuthorize , find back their urls, and use those to build a RequestMatcher listing all their precise endpoints.

Is there a simpler solution?

Answer 1

Your question is not clear to me, I guess you want to access private APIs with JWT and Public APIs without JWT. if so, just mention the API path in Websurity to ignore JWT authentication.

Below code for manually update the API which does not sequence.

@Override
    public void configure(WebSecurity web) {
        web.ignoring()
            .antMatchers(HttpMethod.GET, "/api/url1", "/api/url2")
            .antMatchers(HttpMethod.POST, "/api/url3");
    }

Other than APIs which are mentioned in WebSecurity ignoring, will be an authorized access

Below code for the APIs which starts with /api/public

@Override
    public void configure(WebSecurity web) {
        web.ignoring()
            .antMatchers("/api/public/**");
    }