禁止 Spring Security 基于 RequestURI 运行

问题描述 投票:0回答:1

我想禁止 Spring Security 基于 RequestURI 运行。所以我不想进入configure方法,因为我在“auth/findRealm”服务中找到了“AuthenticationManager”。

Java version: 17
Spring Security version: 2.7.4

安全类

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig {
    private final AuthenticationEntryPoint authenticationEntryPoint;
    private final AuthenticationEntryPoint tokenAuthenticationEntryPoint;
    private final AuthenticationManagerResolver authenticationManagerResolver;
    private final boolean authenticationEnabled;

    public SecurityConfig(
            @Qualifier("customAuthenticationEntryPoint") AuthenticationEntryPoint authenticationEntryPoint,
            @Qualifier("tokenAuthenticationEntryPoint") AuthenticationEntryPoint tokenAuthenticationEntryPoint,
            AuthenticationManagerResolver authenticationManagerResolver) {
        this.authenticationEntryPoint = authenticationEntryPoint;
        this.tokenAuthenticationEntryPoint = tokenAuthenticationEntryPoint;
        this.authenticationManagerResolver = authenticationManagerResolver;
    }

    @Bean
    public SecurityFilterChain configure(HttpSecurity http) throws Exception {
            http
                    .cors().and()
                    .authorizeRequests()
                    .antMatchers("/auth/findRealm").permitAll()
                    .anyRequest().authenticated()
                    .and().exceptionHandling()
                    .authenticationEntryPoint(authenticationEntryPoint)
                    .and()
                    .oauth2ResourceServer().authenticationEntryPoint(tokenAuthenticationEntryPoint)
                    .authenticationManagerResolver(request -> authenticationManagerResolver.resolveAuthenticationManager(request));
        return http.build();
    }
}

自定义 AuthenticationManagerResolver 类

@Service
@RequiredArgsConstructor
public class AuthenticationManagerResolver {

    private final AuthenticationClientService authenticationClientService;

    public AuthenticationManager resolveAuthenticationManager(HttpServletRequest request) {
        String applicationCode = request.getHeader("applicationCode");
        String realm = authenticationClientService.findRealm(applicationCode);
        JwtAuthenticationProvider authenticationProvider = new JwtAuthenticationProvider(JwtDecoders.fromIssuerLocation(realm));
        return new ProviderManager(Collections.singletonList(authenticationProvider));
    }
}

如何克服这种情况?

spring-boot spring-security spring-oauth2
1个回答
0
投票

要完全禁用 spring security 申请某些 URL,可以配置一个 

WebSecurityCustomizer
bean 来自定义 
WebSecurity
:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig {

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring().requestMatchers("/foo" , "/bar/**");
    }

}

这将禁用 Spring Security 申请 URL 

/foo
/bar
以及 
/bar
下的子路径(例如 
/bar/baz

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.