Spring boot Spring安全性：我的授权过滤器授权我的请求，即使URL是允许的_Spring Boot_Spring Security

Spring boot Spring安全性：我的授权过滤器授权我的请求，即使URL是允许的

spring-boot spring-security

Spring boot Spring安全性：我的授权过滤器授权我的请求，即使URL是允许的,spring-boot,spring-security,Spring Boot,Spring Security,在我的安全配置类中，我允许对欢迎url和任何其他遵循“welcome/**”格式的url进行请求这是我的securityconfiguration类： @EnableGlobalMethodSecurity(prePostEnabled = true) //@Configuration @EnableWebSecurity public class JwtSecurityConfiguration extends WebSecurityConfigurerAdapter { @Be

在我的安全配置类中，我允许对欢迎url和任何其他遵循“welcome/**”格式的url进行请求

这是我的securityconfiguration类：

@EnableGlobalMethodSecurity(prePostEnabled = true)
//@Configuration
@EnableWebSecurity
public class JwtSecurityConfiguration extends WebSecurityConfigurerAdapter {


    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }


    private final CustomerDetailsService customerDetailsService;

    @Autowired
    private JwtAuthenticationEntryPoint unauthorizedHandler;

    @Autowired
    public JwtSecurityConfiguration(CustomerDetailsService customerDetailsService) {

        this.customerDetailsService = customerDetailsService;
    }


    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .userDetailsService(customerDetailsService)
                .passwordEncoder(passwordEncoderBean());
    }

    @Bean
    public PasswordEncoder passwordEncoderBean() {
        return new BCryptPasswordEncoder();
    }



    @Override
    public void configure(WebSecurity web) throws Exception {

        web.ignoring().antMatchers("**/resources/static/**")
                .and()
                .ignoring()
                .antMatchers(
                        HttpMethod.GET,
                        "/",
                        "/*.html",
                        "/favicon.ico",
                        "/**/*.html",
                        "/**/*.css",
                        "/**/*.js",
                        "/index_assets/**"
                );
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.csrf().disable()
                .authorizeRequests()
                .antMatchers("/welcome/login").permitAll()
                .antMatchers("/welcome").permitAll()
                .antMatchers("/welcome/signup").permitAll()
                .antMatchers("admin/rest/**").authenticated()
                .and()
                .exceptionHandling().authenticationEntryPoint(unauthorizedHandler)
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        //http.addFilterBefore(new JWTAuthenticationFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class);

         http.addFilterBefore(new JWTAuthorizationFilter(authenticationManager(),customerDetailsService),UsernamePasswordAuthenticationFilter.class);

        // disable page caching
        http
                .headers()
                .frameOptions().sameOrigin()  // required to set for H2 else H2 Console will be blank.
                .cacheControl();

        //http.headers().cacheControl();

    }
}

但是我注意到，在我的JWTAuthorizationFilter.class中，doFilterInternal（）方法获取这个URL

public class JWTAuthorizationFilter  extends OncePerRequestFilter {

    private final CustomerDetailsService customerDetailsService;

    @Autowired
    DefaultCookieService defaultCookieService;


    public JWTAuthorizationFilter(AuthenticationManager authenticationManager, CustomerDetailsService customerDetailsService) {

       // super(authenticationManager);

        this.customerDetailsService = customerDetailsService;
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {

        String header = request.getHeader(HEADER);

        if(Objects.isNull(header) || !header.startsWith(TOKEN_PREFIX)){


            return;


        }

        UsernamePasswordAuthenticationToken usernamePasswordAuth = getAuthenticationToken(request);

        SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuth);

        chain.doFilter(request,response);

    }

    private UsernamePasswordAuthenticationToken getAuthenticationToken(HttpServletRequest request){

        String token = request.getHeader(HEADER);

        if(Objects.isNull(token)) return null;

        String username = Jwts.parser().setSigningKey(SECRET)
                .parseClaimsJws(token.replace(TOKEN_PREFIX,""))
                .getBody()
                .getSubject();


        UserDetails userDetails = customerDetailsService.loadUserByUsername(username);

        return username != null ? new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()) : null;
    }
}

造成这种情况的原因是什么？

假定过滤器会拾取每个请求。无论您是否在安全配置中允许，这都无关紧要

您有两种选择：

如果您不希望

welcome/**

通过过滤器，请将其添加到web ignore

@Override
public void configure(WebSecurity web) throws Exception {

    web.ignoring().antMatchers("**/resources/static/**")
            .and()
            .ignoring()
            .antMatchers(
                    HttpMethod.GET,
                    "/",
                    "/*.html",
                    "/favicon.ico",
                    "/**/*.html",
                    "/**/*.css",
                    "/**/*.js",
                    "/index_assets/**",
                    "/welcome/**"
            );
}

但请注意，它将跳过所有过滤器，您可能不希望这样做

在

doFilterInternal

方法中，当您找到

welcome/**

模式时，跳过它

我很好奇，如果过滤器拾取所有URL，那么为什么会有一个.permitAll（）方法。两件事：1）

。permitAll（）

并不意味着它将跳过所有过滤器。2）

JWTAuthorizationFilter

是您的自定义筛选器。当您明确要求在

用户名密码身份验证过滤器@EnableWebSecurity（debug=true）
之前应用它时，Spring怎么知道跳过它呢？请尝试此注释，并在控制台中查看应用于每个请求的过滤器列表。这可能有助于解决一些问题。