[英]Springboot filter executed in case of permitAll urls as well
I am new to springboot and trying to implement security where no filters are applied to my login, signup and home urls.我是 springboot 的新手,并试图实现没有过滤器应用于我的登录、注册和主页 url 的安全性。
I am using springboot 2.7.1我正在使用 springboot 2.7.1
I am expecting antMatchers("/**/signup").permitAll()
to remain free of any security filter.我期待antMatchers("/**/signup").permitAll()
不受任何安全过滤器的影响。
Upon debugging, I found that my signup url was being hit and user details were saved, but my AuthorizationFilter was also being executed .调试时,我发现我的注册 url 被点击并保存了用户详细信息,但我的 AuthorizationFilter 也正在执行。
This is my SecurityFilterChain :这是我的 SecurityFilterChain :
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
AuthenticationManagerBuilder authenticationManagerBuilder=http.getSharedObject(AuthenticationManagerBuilder.class);
authenticationManagerBuilder.userDetailsService(userLoginService).passwordEncoder(bCryptPasswordEncoder);
AuthenticationManager authenticationManager=authenticationManagerBuilder.build();
http.csrf().disable().authorizeHttpRequests()
.antMatchers("/**/login").permitAll()
.antMatchers("/**/signup").permitAll()
.antMatchers("/home/**").permitAll()
.anyRequest().authenticated().and()
.addFilter(getAuthenticationFilter(authenticationManager))
.addFilter(new AuthorizationFilter(authenticationManager))
.authenticationManager(authenticationManager)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
return http.build();
}
I don't understand why is it happening this way.我不明白为什么会这样。
When you use permitAll()
you are not disabling the filters, you are just specifying that you do not want to apply any authentication/authorization checks for that RequestMatcher
.当您使用permitAll()
时,您并没有禁用过滤器,您只是指定您不想对该RequestMatcher
应用任何身份验证/授权检查。 All the filters will still work.所有过滤器仍然有效。
The AuthorizationFilter
will be invoked but since you configure permitAll()
for that endpoint, it will always grant access. AuthorizationFilter
将被调用,但由于您为该端点配置permitAll()
,它将始终授予访问权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.