Spring security Spring Security中的方法配置(WebSecurity web)';行不通
我的Spring安全配置有问题,方法配置(WebSecurity)无法正常工作,下面是我的源代码:Spring security Spring Security中的方法配置(WebSecurity web)';行不通,spring-security,web-config,Spring Security,Web Config,我的Spring安全配置有问题,方法配置(WebSecurity)无法正常工作,下面是我的源代码: @Override protected void configure(HttpSecurity http) throws Exception { http.addFilter(jwtAuthenticationTokenFilter()) .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELE
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilter(jwtAuthenticationTokenFilter())
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers("/auth",
"/v2/api-docs",
"/swagger-resources/**",
"/configuration/**",
"/swagger-ui.html",
"/webjars/**",
"/", "/refreshconfig", "/*.html", "/*.gif", "/favicon.ico", "/**/*.html", "/**/*.gif",
"/**/*.css", "/**/*.js");
}
public class JwtAuthenticationTokenFilter extends BasicAuthenticationFilter {
private static final Logger log = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class);
@Autowired
private JwtTokenUtil jwtTokenUtil;
public JwtAuthenticationTokenFilter(JwtTokenUtil jwtTokenUtil, AuthenticationManager authenticationManager) {
super(authenticationManager);
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws IOException, ServletException {
String token = request.getHeader(JwtTokenUtil.TOKEN_HEADER);
Authentication authentication = null;
try {
if (StringUtils.isNotBlank(token) && token.startsWith(JwtTokenUtil.TOKEN_PREFIX)) {
log.info("JWT found {}", token);
authentication = jwtTokenUtil.getAuthentication(token.replace(JwtTokenUtil.TOKEN_PREFIX, ""));
SecurityContextHolder.getContext().setAuthentication(authentication);
} else if (SecurityContextHolder.getContext().getAuthentication() != null
&& SecurityContextHolder.getContext().getAuthentication().isAuthenticated()) {
log.info("User already authenticated {}",
SecurityContextHolder.getContext().getAuthentication().getPrincipal());
} else {
log.info("Invalid JWT {}", token);
}
filterChain.doFilter(request, response);
} catch (ExpiredJwtException ex) {
response.setContentType("application/json");
response.setStatus(HttpStatus.SC_INSUFFICIENT_SPACE_ON_RESOURCE);
ErrorObj err = new ErrorObj(GamblingErrors.UNAUTHORIZED.getCode(), ex.getMessage());
log.info("OUT ERROR END: {}", err.toString());
response.getOutputStream().println(err.toString());
} catch (UnsupportedJwtException | MalformedJwtException | SignatureException | IllegalArgumentException ex) {
response.setContentType("application/json");
response.setStatus(HttpStatus.SC_UNAUTHORIZED);
ErrorObj err = new ErrorObj(GamblingErrors.UNAUTHORIZED.getCode(), ex.getMessage());
log.info("OUT ERROR END: {}", err.toString());
response.getOutputStream().println(err.toString());
}
}
}
即使使用configure(WebSecurity-web)
方法,在configure(HttpSecurity)
中添加的过滤器仍然适用于所有资源,而不考虑web。忽略。
有人能告诉我为什么它不起作用吗?从您的源代码中,我可能会建议Spring Boot将JwtAuthenticationTokenFilter
类自动放入过滤器链中。因此,尽管在security config中的ignering()
方法中排除/auth/是正确的,但这还不足以阻止在Spring引导本身的上下文中发生过滤器。解决方案是从jwtAuthenticationTokenFilter()
方法中删除注释@Bean
,或者按照中解释的其他方法在本文中包含jwtAuthenticationTokenFilter的源代码,请!我添加了jwtAuthenticationTokenFilterIsJwtAuthenticationTokenFilter
的源代码,用@Service或@Component注释?不,它没有注释