Fatal编程技术网
  • java/
  • Java 弹簧过滤器无法绕过某些请求

Java 弹簧过滤器无法绕过某些请求

java spring-boot spring-mvc spring-security jwt

Java 弹簧过滤器无法绕过某些请求,java,spring-boot,spring-mvc,spring-security,jwt,Java,Spring Boot,Spring Mvc,Spring Security,Jwt,} 上述筛选器无法允许/会话请求绕过“JwtTokenAuthenticationFilter” 有人知道这有什么问题吗?您可以通过另一种方式实现它,方法是覆盖configure(WebSecurity)方法,如下所示: @EnableWebSecurity public class SecurityTokenConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity

}

上述筛选器无法允许/会话请求绕过“JwtTokenAuthenticationFilter”

有人知道这有什么问题吗?

您可以通过另一种方式实现它,方法是覆盖
configure(WebSecurity)
方法,如下所示:

@EnableWebSecurity
public class SecurityTokenConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .csrf().disable()
        // make sure we use stateless session; session won't be used to store user's state.
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)     
    .and()
        // handle an authorized attempts 
        .exceptionHandling().authenticationEntryPoint((req, rsp, e) -> rsp.sendError(HttpServletResponse.SC_UNAUTHORIZED))  
    .and()
       // Add a filter to validate the tokens with every request
       .addFilterBefore(new JwtTokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
    // authorization requests config
    .authorizeRequests()
       // allow all who are accessing "auth" service
       .antMatchers(HttpMethod.POST, "/${basePath:/}${version:/}/session/**").permitAll()  
       // must be an admin if trying to access admin area (authentication is also required here)
       // Any other request must be authenticated
       .anyRequest().authenticated(); 

}
并删除
antMatchers(HttpMethod.POST,“/${basePath:/}${version:/}/session/**”).permitAll()

您可以通过覆盖
configure(WebSecurity)
方法来实现它,方法如下:

@EnableWebSecurity
public class SecurityTokenConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .csrf().disable()
        // make sure we use stateless session; session won't be used to store user's state.
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)     
    .and()
        // handle an authorized attempts 
        .exceptionHandling().authenticationEntryPoint((req, rsp, e) -> rsp.sendError(HttpServletResponse.SC_UNAUTHORIZED))  
    .and()
       // Add a filter to validate the tokens with every request
       .addFilterBefore(new JwtTokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
    // authorization requests config
    .authorizeRequests()
       // allow all who are accessing "auth" service
       .antMatchers(HttpMethod.POST, "/${basePath:/}${version:/}/session/**").permitAll()  
       // must be an admin if trying to access admin area (authentication is also required here)
       // Any other request must be authenticated
       .anyRequest().authenticated(); 

}
并删除
antMatchers(HttpMethod.POST,“/${basePath://}${version://}/session/**”).permitAll()

否,它仍将进入该筛选器否,它仍将进入该筛选器