Java 弹簧过滤器无法绕过某些请求
} 上述筛选器无法允许/会话请求绕过“JwtTokenAuthenticationFilter”Java 弹簧过滤器无法绕过某些请求,java,spring-boot,spring-mvc,spring-security,jwt,Java,Spring Boot,Spring Mvc,Spring Security,Jwt,} 上述筛选器无法允许/会话请求绕过“JwtTokenAuthenticationFilter” 有人知道这有什么问题吗?您可以通过另一种方式实现它,方法是覆盖configure(WebSecurity)方法,如下所示: @EnableWebSecurity public class SecurityTokenConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity
有人知道这有什么问题吗?您可以通过另一种方式实现它,方法是覆盖
configure(WebSecurity)
方法,如下所示:
@EnableWebSecurity
public class SecurityTokenConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
// make sure we use stateless session; session won't be used to store user's state.
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
// handle an authorized attempts
.exceptionHandling().authenticationEntryPoint((req, rsp, e) -> rsp.sendError(HttpServletResponse.SC_UNAUTHORIZED))
.and()
// Add a filter to validate the tokens with every request
.addFilterBefore(new JwtTokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
// authorization requests config
.authorizeRequests()
// allow all who are accessing "auth" service
.antMatchers(HttpMethod.POST, "/${basePath:/}${version:/}/session/**").permitAll()
// must be an admin if trying to access admin area (authentication is also required here)
// Any other request must be authenticated
.anyRequest().authenticated();
}
并删除
antMatchers(HttpMethod.POST,“/${basePath:/}${version:/}/session/**”).permitAll()
您可以通过覆盖configure(WebSecurity)
方法来实现它,方法如下:
@EnableWebSecurity
public class SecurityTokenConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
// make sure we use stateless session; session won't be used to store user's state.
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
// handle an authorized attempts
.exceptionHandling().authenticationEntryPoint((req, rsp, e) -> rsp.sendError(HttpServletResponse.SC_UNAUTHORIZED))
.and()
// Add a filter to validate the tokens with every request
.addFilterBefore(new JwtTokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
// authorization requests config
.authorizeRequests()
// allow all who are accessing "auth" service
.antMatchers(HttpMethod.POST, "/${basePath:/}${version:/}/session/**").permitAll()
// must be an admin if trying to access admin area (authentication is also required here)
// Any other request must be authenticated
.anyRequest().authenticated();
}
并删除
antMatchers(HttpMethod.POST,“/${basePath://}${version://}/session/**”).permitAll()
否,它仍将进入该筛选器否,它仍将进入该筛选器