Spring boot 仅在需要身份验证时应用spring安全筛选器(由我的应用程序)
我读过,这似乎是最接近我的问题,但没有充分回答它 下面您将看到我当前使用的WebSecurity配置适配器配置。它不会一直保持这样,因为我以后不会公开h2控制台 我的问题是,Spring boot 仅在需要身份验证时应用spring安全筛选器(由我的应用程序),spring-boot,spring-security,Spring Boot,Spring Security,我读过,这似乎是最接近我的问题,但没有充分回答它 下面您将看到我当前使用的WebSecurity配置适配器配置。它不会一直保持这样,因为我以后不会公开h2控制台 我的问题是,JwtAuthenticationFilter总是被执行。我更希望在需要身份验证的请求上执行过滤器(在我的特定情况下:仅此处所述: .authorizeRequests() .anyRequest() .authenticated() ) 如何做到这一
JwtAuthenticationFilter.authorizeRequests()
.anyRequest()
.authenticated()
io.jsonwebtoken.SignatureExceptionpackage com.particles.authservice.jwt;
导入java.io.IOException;
导入java.util.Optional;
导入javax.servlet.FilterChain;
导入javax.servlet.ServletException;
导入javax.servlet.http.HttpServletRequest;
导入javax.servlet.http.HttpServletResponse;
导入org.springframework.beans.factory.annotation.Autowired;
导入org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
导入org.springframework.security.core.context.SecurityContextHolder;
导入org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
导入org.springframework.util.StringUtils;
导入org.springframework.web.filter.OncePerRequestFilter;
导入com.particles.authservice.tos.UserJwt;
公共类JwtAuthenticationFilter扩展了OncePerRequestFilter{
私有静态最终字符串授权\u头\u前缀=“授权”;
私有静态最终字符串授权\u头\u承载\u前缀=“承载”;
私有静态最终整数授权\头\承载\前缀\长度=授权\头\承载\前缀.LENGTH();
@自动连线
私人JwtService JwtService;
@凌驾
受保护的无效doFilterInternal(最终HttpServletRequest请求、最终HttpServletResponse响应、最终FilterChain FilterChain)
抛出ServletException、IOException{
if(request.getHeader(AUTHORIZATION\u HEADER\u PREFIX)!=null){
最终可选选项optoken=extractTokenFromRequest(请求);
if(optoken.isPresent()&&StringUtils.hasText(optoken.get())&&jwtService.isTokenValid(optoken.get()){
//如果令牌存在且有效,则检索相应的UserJwt对象
最终用户jwt jwt=jwtService.getJwtFromToken(optoken.get());
final UsernamePasswordAuthenticationToken authenticationToken=新UsernamePasswordAuthenticationToken(jwt.getUser(),null,
jwt.getUser().getAuthorities());
setDetails(新的WebAuthenticationDetailsSource().buildDetails(请求));
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
}
}
filterChain.doFilter(请求、响应);
}
/**
*此方法从{@link HttpServletRequest}-对象中提取JWT。
*
*@param请求
*({@link-HttpServletRequest})请求,它应该包含一个JWT
*@return(OptionalString)JWT作为字符串
*/
私有可选extractTokenFromRequest(最终HttpServletRequest请求){
最终字符串bearerToken=request.getHeader(授权\头\前缀);
字符串bearerTokenContent=null;
if(StringUtils.hasText(bearerToken)和&bearerToken.startsWith(授权\头\承载\前缀)){
bearerTokenContent=bearerToken.substring(授权\头\承载\前缀\长度,bearerToken.LENGTH());
}
返回可选的空值(BealerTokenContent);
}
}
如果您需要查看任何其他类,请告诉我,我将在此处粘贴它们。添加以下方法以公开您的公共端点
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/public-api/**");
}
似乎不可能仅使用
WebSecurityConfigurerAdapter#configure- 需要过滤器的端点(在我的例子中是
)在JwtAuthenticationFilter
下收集,并且没有单独定义,因为很有可能有人忘记将它们添加到/api/
-方法中configure - 所有其他端点的路径与
/api/
@Override
protected void configure(final HttpSecurity http) throws Exception {
//@formatter:off
http
.cors()
.and()
.csrf()
.disable()
.headers()
.frameOptions()
.disable()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/",
"/favicon.ico",
"/**/*.png",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.html",
"/**/*.css",
"/**/*.js")
.permitAll()
.antMatchers("/h2-console/**").permitAll()
.antMatchers(HttpMethod.POST,
PUBLIC_API_PATH + "register",
PUBLIC_API_PATH + "login")
.permitAll()
.antMatchers(HttpMethod.GET,
PUBLIC_API_PATH + "confirm")
.permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.accessDeniedHandler(unauthorizedHandler)
.and()
.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
;
//@formatter:on
JwtAuthenticationFilter/API/ @Override
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response, final FilterChain filterChain)
throws ServletException, IOException {
if (request.getRequestURI().contains(SecurityConfiguration.PRIVATE_API_PATH)) {
// perform Jwt-authentication since request-URI suggests a call to private-API
...
}
}
filterChain.doFilter(request, response);
}
SecurityConfiguration.PRIVATE\u API\u PATH显然,可以在@*映射(value)中使用如下变量:
@PostMapping(value=“${apipath}/user”)JwtAuthenticationFilterapplication.yamllocalhost:9191/auth/*localhost:9191/auth/h2控制台localhost:9191/auth/publicapilocalhost:9191/auth/publicapi>下<
@Override
protected void configure(final HttpSecurity http) throws Exception {
//@formatter:off
http
.cors()
.and()
.csrf()
.disable()
.headers()
.frameOptions()
.disable()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/",
"/favicon.ico",
"/**/*.png",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.html",
"/**/*.css",
"/**/*.js")
.permitAll()
.antMatchers("/h2-console/**").permitAll()
.antMatchers(HttpMethod.POST,
PUBLIC_API_PATH + "register",
PUBLIC_API_PATH + "login")
.permitAll()
.antMatchers(HttpMethod.GET,
PUBLIC_API_PATH + "confirm")
.permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.accessDeniedHandler(unauthorizedHandler)
.and()
.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
;
//@formatter:on
@Override
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response, final FilterChain filterChain)
throws ServletException, IOException {
if (request.getRequestURI().contains(SecurityConfiguration.PRIVATE_API_PATH)) {
// perform Jwt-authentication since request-URI suggests a call to private-API
...
}
}
filterChain.doFilter(request, response);
}