Java 如何配置Spring安全性以避免';匿名用户';
我有一个Spring引导应用程序,其Spring安全性配置如下:Java 如何配置Spring安全性以避免';匿名用户';,java,spring,spring-boot,spring-security,Java,Spring,Spring Boot,Spring Security,我有一个Spring引导应用程序,其Spring安全性配置如下: @EnableWebSecurity public class AppSecurityConfiguration { @Configuration @Order(Constants.DEVSTACK_SECURITY_ORDER - 1) static class WebHttpSecurityConfig extends WebSecurityConfigurerAdapter { /
@EnableWebSecurity
public class AppSecurityConfiguration {
@Configuration
@Order(Constants.DEVSTACK_SECURITY_ORDER - 1)
static class WebHttpSecurityConfig extends WebSecurityConfigurerAdapter {
/**
* Configures Application WebSecurity which involves the full Security pipeline (?)
*
* @param web WebSecurity
*/
@Override
public void configure(WebSecurity web) {
web.ignoring()
// Allow requests to HealthCheck Endpoint without Bearer Token
.antMatchers("/api/healthCheck", "/v3/api-docs/**", "/configuration/**", "/swagger-ui.html",
"/swagger-ui/**", "/webjars/**", "/api/v1/browser/**", "/swagger-resources/**")
// Allow OPTIONS request without Bearer Token (for pre-flight requests)
.antMatchers(HttpMethod.OPTIONS, "/**");
}
/**
* Configures HttpSecurity
*
* @param http HttpSecurity
* @throws Exception if an error occurs
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
//Authorize INSECURE request to this endpoint (so Swagger can pull the data)
.antMatcher("/v2/api-docs")
.authorizeRequests()
.anyRequest()
.permitAll();
}
}
}
在这个配置类中,我忽略了通过SpringSecurity传递的某些端点,其中大多数都是用于Swagger文档的,所以您可以忽略它
我的问题在configure(HttpSecurity)方法中。我不知道为什么,但我写的方式很有效。当我试图理解我刚才配置的内容时,我是这样读的:
- 对于“/v2/api docs”的每个请求,授权请求
- 对于任何其他请求,请全部允许
public class MyFilter extends GenericFilterBean {
@Override
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
log.debug("MyFilter");
filterChain.doFilter(servletRequest, servletResponse);
}
}
每当我尝试将过滤器添加到我的HttpSecurity时,我都会使用Spring Security将我的主体设置为“anonymousUser”
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(new MyFilter(), WebAsyncManagerIntegrationFilter.class);
}
我试过很多不同的方法,比如:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(new MyFilter(), WebAsyncManagerIntegrationFilter.class)
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
.disable()
.formLogin()
.disable();
}
但当我试图获取用户的委托人时,它仍然返回'anonymousUser'
我不知道为什么要这样配置
@Override
protected void configure(HttpSecurity http) throws Exception {
http
//Authorize INSECURE request to this endpoint (so Swagger can pull the data)
.antMatcher("/v2/api-docs")
.authorizeRequests()
.anyRequest()
.permitAll();
}
有人能像我五岁那样给我启发和解释吗?有时候我只是觉得我太笨了,不懂春天
谢谢应该是:
http
.authorizeRequests()
.antMatchers("/v2/api-docs")
.permitAll()
.and()
.authorizeRequests().antMatchers("/**").authenticated()
嘿,谢谢你的回答,你能解释一下为什么会这样吗?我知道antMatchers的顺序很重要,所以如果第一个捕获了每个请求,那么其余的就不起作用了。但除此之外,我不明白permitAll()和authenticated()之间的区别。你是对的,顺序很重要
authenticated()
保护所有路径,而permitable()
允许它。除非指定了antMatchers(..)(在两种情况下都有效),并且如果我想将MyFilter添加到HttpSecurity,应该不会有任何问题,对吧?是的,应该不会有任何问题。嘿,阿曼,再次感谢你,但我尝试了你建议的方法,但它不起作用。我将用更多信息编辑我的问题。