我想知道我是否可以为不同的路径使用两个不同的 jwt 令牌值。
我的代码块是:
@Order(1)
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.csrf(AbstractHttpConfigurer::disable)
.formLogin(AbstractHttpConfigurer::disable)
.oauth2ResourceServer((oauth2) -> oauth2
.jwt((jwt) -> jwt.jwtAuthenticationConverter(jwtAuthenticationConverter).decoder(chatbotJwtDecoder()))
.authenticationEntryPoint(delegatedAuthenticationEntryPoint)
.accessDeniedHandler(delegatedAccessDeniedHandler))
.authorizeHttpRequests(request -> {
request.requestMatchers("/quick-questions").permitAll();
request.anyRequest().authenticated();
})
.sessionManagement(sessionManagementConfigurer -> sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
return http.build();
}
@Order(2)
@Bean
SecurityFilterChain memberFilterChain(HttpSecurity http) throws Exception {
http.csrf(AbstractHttpConfigurer::disable)
.formLogin(AbstractHttpConfigurer::disable)
.oauth2ResourceServer((oauth2) -> oauth2
.jwt((jwt) -> jwt.jwtAuthenticationConverter(jwtAuthenticationConverter).decoder(memberJwtDecoder()))
.authenticationEntryPoint(delegatedAuthenticationEntryPoint)
.accessDeniedHandler(delegatedAccessDeniedHandler))
.authorizeHttpRequests(request -> {
request.requestMatchers("/quick-questions").authenticated();
//request.anyRequest().permitAll();
})
.sessionManagement(sessionManagementConfigurer -> sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
return http.build();
}
@Primary
@Bean
public JwtDecoder chatbotJwtDecoder() {
return NimbusJwtDecoder.withPublicKey(publicKey()).build();
}
@Bean
public JwtDecoder memberJwtDecoder() {
RSAPublicKey rsaPublicKey;
try {
rsaPublicKey = readPublicKey(publicKeyResource.getInputStream());
} catch (Exception e) {
throw new RuntimeException(e);
}
return NimbusJwtDecoder.withPublicKey(rsaPublicKey).build();
}
所以我正在请求路径“/quick-questions”,并且我允许该路径用于filterChain,其顺序(1)。
在属于memberFilterChain的第二个SecurityFilterChain中,
request.requestMatchers("/quick-questions").authenticated();
我预计会给我错误,但我可以通过这个端点。
似乎带有 Order(2) 的第二个成员FilterChain 不起作用
那么它可能出什么问题,有什么想法吗?
Edit1:我认为这与 http.securityMatcher() 有点相关,但目前还无法弄清楚。