Spring 对多个URL使用AbstractAuthenticationProcessingFilter
我的应用程序中有以下端点模式Spring 对多个URL使用AbstractAuthenticationProcessingFilter,spring,rest,authentication,spring-boot,spring-security,Spring,Rest,Authentication,Spring Boot,Spring Security,我的应用程序中有以下端点模式 /令牌——可供所有人访问 /rest/securedone/**--需要身份验证 /rest/securedtwo/**--需要身份验证 /rest/unsecured/**--不需要身份验证 到目前为止,我能够访问/token端点。 但是/rest/securedone/**和/rest/unsecured/**在未发送令牌(JWT)时返回401。我打算保护/rest/securedone/**这很好,可以访问/rest/unsecured/** 我的httpSe
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers("/token").permitAll()
.antMatchers("/rest/secured/**").authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(authenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
http.headers().cacheControl();
}
public class MyAuthenticationTokenFilter extends AbstractAuthenticationProcessingFilter {
private static Logger log = LoggerFactory.getLogger(MyAuthenticationTokenFilter.class);
public MyAuthenticationTokenFilter() { super("/rest/**"); }
@Override
public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, ServletException {
//authentication handling code
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
super.successfulAuthentication(request, response, chain, authResult);
chain.doFilter(request, response);
}
}
我的AbstractAuthenticationProcessingFilter扩展类如下:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers("/token").permitAll()
.antMatchers("/rest/secured/**").authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(authenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
http.headers().cacheControl();
}
public class MyAuthenticationTokenFilter extends AbstractAuthenticationProcessingFilter {
private static Logger log = LoggerFactory.getLogger(MyAuthenticationTokenFilter.class);
public MyAuthenticationTokenFilter() { super("/rest/**"); }
@Override
public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, ServletException {
//authentication handling code
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
super.successfulAuthentication(request, response, chain, authResult);
chain.doFilter(request, response);
}
}
有人能帮我解决以下问题吗
RequestMatcher
匹配请求url,例如,在您的配置中,它将处理与/rest/**
匹配的url,并尝试将客户端凭据转换为身份验证
(例如userInfo、role…),当客户端凭据不正确时,它可能会引发异常。
与authorizeRequests
(xxx.authorized()
或xxx.permit()
)不同,authorizeRequests
只需检查身份验证是否具有某些特殊属性(例如角色、范围)
以此类推,AbstractAuthenticationProcessingFilter
只是通过不同的客户端将一些卡(Authentication
)放入一个框(SecurityContext
)中,AuthorizationRequests
只需检查框中是否有它需要的卡,否则它将拒绝请求<代码>AbstractAuthenticationProcessingFilter
不在乎谁/如何使用这些卡,也不在乎这些卡来自哪里
我可以在MyAuthenticationTokenFilter构造函数内的super(defaultFilterProcessingUrl)调用中指定多个url模式吗
是的,您可以通过setrequireauthenticationrequestmatcher
设置requireauthenticationrequestmatcher
,它将覆盖旧的requireauthenticationrequestmatcher
,例如
authenticationTokenFilter
.setRequiresAuthenticationRequestMatcher(new OrRequestMatcher(
new AntPathRequestMatcher("/rest/secured/**")
, new AntPathRequestMatcher("/api/secured/**")
));
非常感谢您的简单解释和宝贵时间。我想我现在对它有了更坚实的理解。