Java 在spring security中排除通过过滤器的身份验证
我想排除通过筛选器传递的url。我添加了许可证,但每次我发出身份验证请求时,它都会通过过滤器。顺便说一下,当我删除过滤器时,它会进行身份验证。我的目标是排除一些URL通过过滤器。这是我的配置和过滤器的代码:Java 在spring security中排除通过过滤器的身份验证,java,spring-boot,spring-security,jwt,Java,Spring Boot,Spring Security,Jwt,我想排除通过筛选器传递的url。我添加了许可证,但每次我发出身份验证请求时,它都会通过过滤器。顺便说一下,当我删除过滤器时,它会进行身份验证。我的目标是排除一些URL通过过滤器。这是我的配置和过滤器的代码: @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter{ @Autowired private MyUserDetailsService userDeta
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private MyUserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
@Bean
public AuthenticationManager customAuthenticationManager() throws Exception {
return authenticationManager();
}
@Autowired
private JwtRequestFilter jwtRequestFilter;
@Override
protected void configure(HttpSecurity http) throws Exception{
http.csrf().disable()
.authorizeRequests()
.antMatchers("/AuthentificationController/**").permitAll()
.antMatchers("/swagger-ui.html").permitAll()
.anyRequest().authenticated()
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterAfter(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
}
这是我的过滤器的代码:
package tn.afriquecarglass.gestionstock.filters;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import tn.afriquecarglass.gestionstock.util.JwtUtil;
import tn.afriquecarglass.gestionstock.util.MyUserDetailsService;
@Component
public class JwtRequestFilter extends OncePerRequestFilter{
@Autowired
private MyUserDetailsService myUserDetailsService;
@Autowired
private JwtUtil jwtUtil;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
final String authorizationHeader = request.getHeader("Authorization");
String username = null;
String jwt = null;
if(authorizationHeader != null && authorizationHeader.startsWith("Bearer")) {
jwt = authorizationHeader.substring(7);
username = jwtUtil.extractUsername(jwt);
}
if(username!=null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.myUserDetailsService.loadUserByUsername(username);
if(jwtUtil.validateToken(jwt, userDetails)) {
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(userDetails, null,userDetails.getAuthorities());
usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
}
filterChain.doFilter(request, response);
}
}
}
如果请求的路径与要绕过的路径列表匹配并委托给下一个筛选器,则可以在自定义筛选器本身中提供跳过的逻辑
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
response, FilterChain filterChain)
throws ServletException, IOException {
final String authorizationHeader = request.getHeader("Authorization");
String username = null;
String jwt = null;
String reqPath = request.getRequestURI();
// If not matched then continue to the next filter
if ("/path_to_skipp".equals(reqPath )) {
filterChain.doFilter(request, response);
return;
}
// rest of your logic
...
}
如果您想从Spring Security的filterChain中完全排除URL,只需覆盖
configure(WebSecurity web)
方法
例如:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(final WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/yourUrls/**");
}
}
您希望从筛选器中排除哪种URL