Spring security spring security授权的URL不进入my AbstractSecurityInterceptor筛选器
我只是使用spring安全性来授权url资源,这取决于与用户相关的角色,但我的登录不依赖于spring安全性。 但是我的授权url没有进入用于授权url的my JWTAuthenticationFilter。我不知道我的代码中哪里有问题,请检查下面的代码并指出我的配置或JWTAuthenticationFilter中的问题,这将非常有帮助。 或任何相关的参考链接也将非常感谢。非常感谢你 我的配置文件:Spring security spring security授权的URL不进入my AbstractSecurityInterceptor筛选器,spring-security,Spring Security,我只是使用spring安全性来授权url资源,这取决于与用户相关的角色,但我的登录不依赖于spring安全性。 但是我的授权url没有进入用于授权url的my JWTAuthenticationFilter。我不知道我的代码中哪里有问题,请检查下面的代码并指出我的配置或JWTAuthenticationFilter中的问题,这将非常有帮助。 或任何相关的参考链接也将非常感谢。非常感谢你 我的配置文件: @Configuration @EnableWebSecurity public class
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST,
"/user/login",
"/user/sso/login")
.permitAll()
.anyRequest().authenticated()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET,
"/pos/findAllList")
.authenticated().and()
.addFilterBefore(new JWTAuthenticationFilter(),
FilterSecurityInterceptor.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
web
.ignoring()
.antMatchers("/admin/swagger/**");
}
}
我的JWTAuthenticationFilter:
@Log4j2
public class JWTAuthenticationFilter extends AbstractSecurityInterceptor implements Filter{
@Autowired
private FilterInvocationSecurityMetadataSource securityMetadataSource;
@Autowired
private SmcAccessDecisionManager smcAccessDecisionManager;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
super.setAccessDecisionManager(smcAccessDecisionManager);
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
log.info("进入SmcSecurityFilter");
FilterInvocation fi = new FilterInvocation( request, response, chain );
invoke(fi);
}
public void invoke( FilterInvocation object ) throws IOException, ServletException{
super.beforeInvocation(object);
Collection<ConfigAttribute> attributes = securityMetadataSource.getAttributes(object);
this.smcAccessDecisionManager.decide(SecurityContextHolder.getContext().getAuthentication(), object, attributes);
InterceptorStatusToken token = super.beforeInvocation(object);
try{
object.getChain().doFilter(object.getRequest(), object.getResponse());
}finally{
super.afterInvocation(token, null);
}
}
public FilterInvocationSecurityMetadataSource getSecurityMetadataSource(){
return this.securityMetadataSource;
}
public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {
this.securityMetadataSource = securityMetadataSource;
}
@Override
public void destroy() {
}
@Override
public Class<?> getSecureObjectClass() {
return FilterInvocation.class;
}
@Override
public SecurityMetadataSource obtainSecurityMetadataSource() {
return this.securityMetadataSource;
}
}
@Log4j2
公共类JWTAuthenticationFilter扩展AbstractSecurityInterceptor实现筛选器{
@自动连线
私有筛选器职业securityMetadataSource securityMetadataSource;
@自动连线
私人SMCCessDecisionManager SMCCessDecisionManager;
@凌驾
public void init(FilterConfig FilterConfig)抛出ServletException{
super.setAccessDecisionManager(SMAccessDecisionManager);
}
@凌驾
public void doFilter(ServletRequest请求、ServletResponse响应、FilterChain链)
抛出IOException、ServletException{
日志信息(“进入SmcSecurityFilter);
FilterInvocation fi=新的FilterInvocation(请求、响应、链);
调用(fi);
}
公共void调用(FilterInvoke对象)引发IOException、ServletException{
super.beforeInvocation(对象);
集合属性=securityMetadataSource.getAttributes(对象);
this.smccessDecisionManager.decise(SecurityContextHolder.getContext().getAuthentication(),对象,属性);
InterceptorStatusToken令牌=super.beforeInvocation(对象);
试一试{
object.getChain().doFilter(object.getRequest(),object.getResponse());
}最后{
super.afterInvocation(令牌,null);
}
}
公共筛选器职业SecurityMetaDataSource getSecurityMetadataSource(){
返回this.securityMetadataSource;
}
public void setSecurityMetadataSource(过滤器职业安全元数据源安全元数据源){
this.securityMetadataSource=securityMetadataSource;
}
@凌驾
公共空间销毁(){
}
@凌驾
公共类getSecureObjectClass(){
返回filtering.class;
}
@凌驾
public SecurityMetadataSource获取SecurityMetadataSource(){
返回this.securityMetadataSource;
}
}
尝试将doFilter()更改为如下所示:
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
log.info("进入SmcSecurityFilter");
FilterInvocation fi = new FilterInvocation( request, response, chain );
invoke(fi, chain, request, response);
}
public void invoke(FilterInvocation object, FilterChain chain, ServletRequest request, ServletResponse response) throws IOException, ServletException{
super.beforeInvocation(object);
Collection<ConfigAttribute> attributes = securityMetadataSource.getAttributes(object);
this.smcAccessDecisionManager.decide(SecurityContextHolder.getContext().getAuthentication(), object, attributes);
InterceptorStatusToken token = super.beforeInvocation(object);
try{
chain.doFilter(request, response);
}finally{
super.afterInvocation(token, null);
}
}
您的invoke()方法如下所示:
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
log.info("进入SmcSecurityFilter");
FilterInvocation fi = new FilterInvocation( request, response, chain );
invoke(fi, chain, request, response);
}
public void invoke(FilterInvocation object, FilterChain chain, ServletRequest request, ServletResponse response) throws IOException, ServletException{
super.beforeInvocation(object);
Collection<ConfigAttribute> attributes = securityMetadataSource.getAttributes(object);
this.smcAccessDecisionManager.decide(SecurityContextHolder.getContext().getAuthentication(), object, attributes);
InterceptorStatusToken token = super.beforeInvocation(object);
try{
chain.doFilter(request, response);
}finally{
super.afterInvocation(token, null);
}
}
public void invoke(FilterInvoke对象、FilterChain链、ServletRequest请求、ServletResponse响应)抛出IOException、ServletException{
super.beforeInvocation(对象);
集合属性=securityMetadataSource.getAttributes(对象);
this.smccessDecisionManager.decise(SecurityContextHolder.getContext().getAuthentication(),对象,属性);
InterceptorStatusToken令牌=super.beforeInvocation(对象);
试一试{
链式过滤器(请求、响应);
}最后{
super.afterInvocation(令牌,null);
}
}