目标 API 已添加到
ignoring当邮递员发布 URL 时,日志表明(如预期)该 URL 不存在安全性。我希望,检测到不存在安全性时,将调用 Web 服务端点。但是,框架会重定向到 /login 并继续尝试在此基础上进行验证。
我缺少什么来允许未经身份验证的用户调用 Web 服务?
代码片段1:Web服务端点t
@CrossOrigin
@PostMapping(value = "/ws/createArchive", headers = "Accept=*/*")
public String createArchive (@RequestAttribute String apiKey, @RequestBody Map<String, Object > body) {
logger.info("/ws/createArchive received:\r\n", body.toString());
return "Ok";
}
代码片段2:Spring Web安全初始化
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring()
.requestMatchers("/", "/ws/**", "/index.html", "/app/**", "/register", "/favicon.ico","/ajax/cfgDownloadReport","/ajax/importLicense")
;
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.addFilterBefore(new ForwardedHeaderFilter(), ForceEagerSessionCreationFilter.class) // see https://stackoverflow.com/questions/75860090/spring-cors-error-on-nginx-reverse-proxy-with-https
.csrf().disable()
.authorizeHttpRequests()
.requestMatchers("/authenticate").permitAll() // permitAll permits all authenticated users
.requestMatchers("/applicationVersion").permitAll()
.requestMatchers("/ajax/licenseValidation", "/ajax/cfgFetchAllNotifications", "/notification/search","/ajax/importLicense",
"/ajax/licenseValidation", "/ajax/cfgFetchAllNotifications", "/notification/searchCount",
"/ajax/jobExecutionParams","/ajax/keyValuePair/","/ajax/instanceregistry")
.permitAll()
.anyRequest().denyAll().and()
.addFilterBefore(new JWTFilter(), UsernamePasswordAuthenticationFilter.class)
.logout().deleteCookies(JWTFilter.getAuthorizationHeader()).invalidateHttpSession(true)
.and()
.sessionManagement()
.sessionFixation().migrateSession()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.maximumSessions(2);
return http.getOrBuild();
}
邮递员发布的网址:
http://127.0.0.1:8080/my-api/ws/createArchive?apiKey=12345
日志截图:
http-nio-8080-exec-4 2024-04-22 15:41:35,831 TRACE o.s.s.w.FilterChainProxy - Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Ant [pattern='/'], Filters=[]] (1/9)
http-nio-8080-exec-4 2024-04-22 15:41:35,832 TRACE o.s.s.w.FilterChainProxy - Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Ant [pattern='/ws/**'], Filters=[]] (2/9)
http-nio-8080-exec-4 2024-04-22 15:41:35,833 TRACE o.s.s.w.FilterChainProxy - No security for POST /ws/createArchive?apiKey=12345
http-nio-8080-exec-4 2024-04-22 15:41:35,937 TRACE o.s.s.w.FilterChainProxy - Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Ant [pattern='/'], Filters=[]] (1/9)
http-nio-8080-exec-4 2024-04-22 15:41:35,938 TRACE o.s.s.w.FilterChainProxy - Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Ant [pattern='/ws/**'], Filters=[]] (2/9)
http-nio-8080-exec-4 2024-04-22 15:41:35,938 TRACE o.s.s.w.FilterChainProxy - Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Ant [pattern='/index.html'], Filters=[]] (3/9)
http-nio-8080-exec-4 2024-04-22 15:41:35,938 TRACE o.s.s.w.FilterChainProxy - Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Ant [pattern='/app/**'], Filters=[]] (4/9)
http-nio-8080-exec-4 2024-04-22 15:41:35,938 TRACE o.s.s.w.FilterChainProxy - Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Ant [pattern='/register'], Filters=[]] (5/9)
http-nio-8080-exec-4 2024-04-22 15:41:35,938 TRACE o.s.s.w.FilterChainProxy - Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Ant [pattern='/favicon.ico'], Filters=[]] (6/9)
http-nio-8080-exec-4 2024-04-22 15:41:35,939 TRACE o.s.s.w.FilterChainProxy - Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Ant [pattern='/ajax/cfgDownloadReport'], Filters=[]] (7/9)
http-nio-8080-exec-4 2024-04-22 15:41:35,939 TRACE o.s.s.w.FilterChainProxy - Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Ant [pattern='/ajax/importLicense'], Filters=[]] (8/9)
http-nio-8080-exec-4 2024-04-22 15:41:35,939 TRACE o.s.s.w.FilterChainProxy - Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@b760802, org.springframework.web.filter.ForwardedHeaderFilter@208e2b0, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7e6707c5, org.springframework.security.web.context.SecurityContextPersistenceFilter@380f5cac, org.springframework.security.web.header.HeaderWriterFilter@1ce6d2f2, org.springframework.security.web.authentication.logout.LogoutFilter@15b3c1bf, com.mycompany.myapp.JWTFilter@752534aa, org.springframework.security.web.session.ConcurrentSessionFilter@130646f9, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@59fdce16, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@792ce5eb, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4e280414, org.springframework.security.web.session.SessionManagementFilter@3b80ca33, org.springframework.security.web.access.ExceptionTranslationFilter@676d03bf, org.springframework.security.web.access.intercept.AuthorizationFilter@4a0a10b8]] (9/9)
http-nio-8080-exec-4 2024-04-22 15:41:35,939 DEBUG o.s.s.w.FilterChainProxy - Securing POST /login?apiKey=12345
在我的例子中,这个问题的正确解决方案是,不是将 url 添加到忽略匹配器,而是实现 apikey 安全过滤器,该过滤器计划在项目后期实现。请参阅 使用 API 密钥和机密保护 Spring Boot API .