Spring Boot 3 安全过滤器

问题描述 投票:0回答:1

使用 Spring Boot 3 和 Security 6,我有以下安全过滤器

    @Bean
    @Order(1)
    public SecurityFilterChain showLoginFormFilter(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> {
            // Main page
            auth.requestMatchers("/").permitAll();
            // Customer site
            auth.requestMatchers("/customers**").authenticated();

            // Any other request must be authenticated
            auth.anyRequest().authenticated();   // No change if commented.
        });

        // Client setting - shows the login screen
        http.oauth2Login(withDefaults());

        return http.build();
    }

    @Bean
    @Order(3)
    public SecurityFilterChain publicDownloadRedirectFilter(HttpSecurity http) throws Exception {
        LOGGER.info("publicDownloadRedirectFilter - Initialized");
        http.securityMatcher("/downloadRedirect/**")
                .authorizeHttpRequests(authorize -> authorize
                        .requestMatchers(new DownloadRedirectMatcher()).permitAll()
                        .anyRequest().authenticated()
        );

        return http.build();
    }

DownloadRedirectMatcher 就像

public class DownloadRedirectMatcher implements org.springframework.security.web.util.matcher.RequestMatcher {
    private static final Logger LOGGER = LoggerFactory.getLogger(DownloadRedirectMatcher.class);

    @Override
    public boolean matches(HttpServletRequest request) {
        LOGGER.info("Custom matcher ************* {}", "public".equals(request.getHeader("X-Public")));
        return ("public".equals(request.getHeader("X-Public")));
    }
}

我所期待的:

  1. 如果调用 / 则显示页面(确定)
  2. 如果调用 /customer/,页面会要求输入用户名/密码(确定)
  3. 如果使用“public”标头调用 /downloadRedirect,则应用 PermitAll,而是调用 /login 页面并提示用户/密码 (NG)

这就像 publicDownloadRedirectFilter 从未被应用过。

再次尝试:

两个过滤器都带有 securityMatcher,类似

    @Bean
    @Order(1)
    public SecurityFilterChain clientFilterChain(HttpSecurity http) throws Exception {
        LOGGER.info("clientFilterChain - Initialized");

        http.securityMatcher("/customer*")
                .authorizeHttpRequests(authorize -> authorize
                        .anyRequest().authenticated()
                );
        // Client setting - shows the login screen
        http.oauth2Login(withDefaults());

        return http.build();
    }

    // And same publicDownloadRedirectFilter

但是现在的结果是

  1. 如果调用 / 则显示页面(确定)
  2. 如果调用 /customer/ 则找不到 /login 页面并返回 404 (NG)
  3. 如果使用“public”标头调用 /downloadRedirect,则应用 PermitAll。 (好的)

任何帮助将不胜感激。

spring-boot spring-security
1个回答
0
投票

这里的 Spring Security 6 配置可能会满足您的要求。请尝试让我们知道

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests((authz) -> authz 
                .requestMatchers("/", "/customer/**").permitAll() // Permit root and '/customer' paths
                .requestMatchers(new DownloadRedirectMatcher()).permitAll() 
                .anyRequest().authenticated() // Authenticate everything else
            );

        return http.build();
    }

}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.