我在Spring 4 MVC + Security + Boot项目中设置了一个自定义身份验证过滤器.过滤器做得很好,现在我想禁用某些URI的安全性(比如/api/**).这是我的配置
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers("/api/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilterBefore(filter, BasicAuthenticationFilter.class);
}
}
不幸的是,当我在/ api/...下调用资源时,过滤器仍然被链接.我在我的过滤器中添加了println,并在每次调用时将其写入控制台.你知道我的配置有什么问题吗?
UPDATE
过滤代码:
@Component
public class EAccessAuthenticationFilter extends RequestHeaderAuthenticationFilter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
System.out.println("FILTER");
if(SecurityContextHolder.getContext().getAuthentication() == null){
//Do my authentication stuff
PreAuthenticatedAuthenticationToken authentication = new PreAuthenticatedAuthenticationToken(user, credential, authorities); …我们有一个如下所示的配置:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public static final String LOGIN_PATH_EXPRESSION = "/login";
public static final String API_PATH_EXPRESSION = "/api/**/*";
public static final String GLOBAL_PATH_EXPRESSION = "/**/*";
@Autowired
@Qualifier("ssoFilter")
private Filter ssoFilter;
@Autowired
private VerifyingProcessingFilter verifyingProcessingFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.userDetailsService(username -> new User(username, "", Collections.emptyList()))
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(LOGIN_PATH_EXPRESSION)
.authenticated()
.and()
.httpBasic()
.and()
.authenticationProvider(new SimpleAuthenticationProvider())
.authorizeRequests()
.antMatchers(API_PATH_EXPRESSION).authenticated()
.and()
.addFilterBefore(ssoFilter, BasicAuthenticationFilter.class)
.addFilterAfter(verifyingProcessingFilter, FilteredOAuth2AuthenticationProcessingFilter.class)
.authorizeRequests()
.antMatchers(GLOBAL_PATH_EXPRESSION)
.permitAll()
.and()
.csrf()
.disable();
}
并且认识到我们FilteredOAuth2AuthenticationProcessingFilter …
我有一个 Spring Boot 应用程序,我试图在其中创建一个自定义安全过滤器,如下所示:
public class CustomSecurityFilter extends GenericFilterBean {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
//it should be invoked only for "/needCustomSecurityOnThisURL"
chain.doFilter(request, response);
}
}
现在,我只想在特定的 URL 上调用它,但我无法弄清楚这一点。我正在使用以下代码调用它:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.csrf().disable() // Disable CSRF Token
.httpBasic();
// Disable Session Management
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
//want to add the Custom Security Filter n it should …java spring restful-authentication spring-security spring-filter