Spring security spring过滤器适用于所有api URL错误
我不熟悉spring安全性,问题是过滤器应用于所有请求URL<代码>/api/user/signup。我想排除通过筛选器的路径Spring security spring过滤器适用于所有api URL错误,spring-security,spring-java-config,Spring Security,Spring Java Config,我不熟悉spring安全性,问题是过滤器应用于所有请求URL/api/user/signup。我想排除通过筛选器的路径/api/user/signup。我甚至试着跟随 web.ignoring() .antMatchers("/api/user/**") .antMatchers("/api/user/signup") 但过滤器再次应用于它。筛选器需要authkey令牌和注册请求 显然没有代币。当它找不到令牌时,它将通过异常 @Configura
/api/user/signup
。我甚至试着跟随
web.ignoring()
.antMatchers("/api/user/**")
.antMatchers("/api/user/signup")
但过滤器再次应用于它。筛选器需要authkey令牌和注册请求
显然没有代币。当它找不到令牌时,它将通过异常
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
AuthenticationTokenProcessingFilter authenticationTokenFilter;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/api/user/**")
.antMatchers("/api/user/signup")
;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
//allow anonymous POSTs to login
.antMatchers("/api/user/signup").permitAll()
//allow anonymous GETs to API
.antMatchers(HttpMethod.GET, "/api/**").permitAll()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class)
;
}
这是我的令牌过滤器类
@Component
public class AuthenticationTokenProcessingFilter extends GenericFilterBean {
// @Autowired UserService userService;
@Autowired
TokenHandler tokenUtils;
@Autowired
AuthenticationManager authManager;
public AuthenticationTokenProcessingFilter(AuthenticationManager authManager) {
this.authManager = authManager;
}
public AuthenticationTokenProcessingFilter() {
super();
// TODO Auto-generated constructor stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
@SuppressWarnings("unchecked")
HttpServletRequest req = (HttpServletRequest) request;
SecurityContext context = SecurityContextHolder.getContext();
if (context.getAuthentication() != null && context.getAuthentication().isAuthenticated()) {
// do nothing
}else {
//System.out.println("Not Authenticated");
if(req != null && req.getHeader("authKey") != null && req.getHeader("authKey").length() >0 ) {
String token = req.getHeader("authKey");
System.out.println("Found Token:"+req.getHeader("authKey"));
// validate the token
User userDetails = tokenUtils.parseUserFromToken(token);
List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
Authentication authentication =
new UsernamePasswordAuthenticationToken(userDetails.getEmail(), userDetails.getPassword(),grantedAuths);
// set the authentication into the SecurityContext
SecurityContextHolder.getContext().setAuthentication(authentication);
System.out.println("Is Authenticated:?"+ context.getAuthentication().isAuthenticated());
// continue thru the filter chain
chain.doFilter(request, response);
System.out.println(" request is delegeted");
}else{
// Do your business stuff here for all paths other than /specialpath.
System.out.println(" Token Not Found");
throw new ServletException("Token not found in Request");
}
}
}
解决方案之一是根据传入的URL跳过过滤器逻辑。 排队后:
HttpServletRequest req = (HttpServletRequest) request;
在AuthenticationTokenProcessingFilter
的方法doFilter
中添加以下代码:
if (new AntPathRequestMatcher("/api/user/signup").matches(req))) {
chain.doFilter(request, response);
return;
}
当然,在
doFilter
方法中硬编码URL不是一个好的做法-您可以从SecurityConfig.configure
方法将该URL传递给您的过滤器。另外,可以优化新的AntPathRequestMatcher,只需创建一次并放入一个字段变量。解决方案是模仿具有多个
块的好的旧名称空间方式。通过Java配置,您还可以有多个类扩展websecurityConfigureAdapter
。Spring安全参考手册对此有详细的说明。摘录:
@EnableWebSecurity
public class MultiHttpSecurityConfig {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) { 1
...
}
@Configuration
@Order(1) 2
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/**") 3
...
}
}
@Configuration 4
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
...
}
}
}
注:
身份验证
@Order
的websecurityConfigureAdapter
实例,以指定应首先考虑哪个websecurityConfigureAdapter
http.antMatcher
声明此HttpSecurity
仅适用于以/api/
开头的URLwebsecurityConfigureAdapter
的另一个实例。如果URL不是以/api/
开头,则将使用此配置(无@Order
默认为最后一个)通过使用'@Component'注释过滤器,您告诉Spring将其添加到嵌入式容器中 任何作为Springbean的Servlet、Filter或Servlet*侦听器实例都将在嵌入式容器中注册。如果要在配置过程中引用application.properties中的值,这将非常方便 因此,
.addFilterBefore(authenticationTokenFilter,UsernamePasswordAuthenticationFilter.class)
此行没有影响
要修复它,请删除@Component和@Autowired并构造自己的实例,不要将其变成bean
@EnableWebSecurity
public class MultiHttpSecurityConfig {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) { 1
...
}
@Configuration
@Order(1) 2
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/**") 3
...
}
}
@Configuration 4
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
...
}
}
}