我想禁止 Spring Security 基于 RequestURI 运行。所以我不想进入configure方法,因为我在“auth/findRealm”服务中找到了“AuthenticationManager”。
Java version: 17
Spring Security version: 2.7.4
安全类
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig {
private final AuthenticationEntryPoint authenticationEntryPoint;
private final AuthenticationEntryPoint tokenAuthenticationEntryPoint;
private final AuthenticationManagerResolver authenticationManagerResolver;
private final boolean authenticationEnabled;
public SecurityConfig(
@Qualifier("customAuthenticationEntryPoint") AuthenticationEntryPoint authenticationEntryPoint,
@Qualifier("tokenAuthenticationEntryPoint") AuthenticationEntryPoint tokenAuthenticationEntryPoint,
AuthenticationManagerResolver authenticationManagerResolver) {
this.authenticationEntryPoint = authenticationEntryPoint;
this.tokenAuthenticationEntryPoint = tokenAuthenticationEntryPoint;
this.authenticationManagerResolver = authenticationManagerResolver;
}
@Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {
http
.cors().and()
.authorizeRequests()
.antMatchers("/auth/findRealm").permitAll()
.anyRequest().authenticated()
.and().exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.oauth2ResourceServer().authenticationEntryPoint(tokenAuthenticationEntryPoint)
.authenticationManagerResolver(request -> authenticationManagerResolver.resolveAuthenticationManager(request));
return http.build();
}
}
自定义 AuthenticationManagerResolver 类
@Service
@RequiredArgsConstructor
public class AuthenticationManagerResolver {
private final AuthenticationClientService authenticationClientService;
public AuthenticationManager resolveAuthenticationManager(HttpServletRequest request) {
String applicationCode = request.getHeader("applicationCode");
String realm = authenticationClientService.findRealm(applicationCode);
JwtAuthenticationProvider authenticationProvider = new JwtAuthenticationProvider(JwtDecoders.fromIssuerLocation(realm));
return new ProviderManager(Collections.singletonList(authenticationProvider));
}
}
如何克服这种情况?
要完全禁用 spring security 申请某些 URL,可以配置一个
WebSecurityCustomizer
bean 来自定义 WebSecurity
:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig {
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().requestMatchers("/foo" , "/bar/**");
}
}
这将禁用 Spring Security 申请 URL
/foo
和 /bar
以及 /bar
下的子路径(例如 /bar/baz
)