使用 Spring Boot 3 和 Security 6,我有以下安全过滤器
@Bean
@Order(1)
public SecurityFilterChain showLoginFormFilter(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> {
// Main page
auth.requestMatchers("/").permitAll();
// Customer site
auth.requestMatchers("/customers**").authenticated();
// Any other request must be authenticated
auth.anyRequest().authenticated(); // No change if commented.
});
// Client setting - shows the login screen
http.oauth2Login(withDefaults());
return http.build();
}
@Bean
@Order(3)
public SecurityFilterChain publicDownloadRedirectFilter(HttpSecurity http) throws Exception {
LOGGER.info("publicDownloadRedirectFilter - Initialized");
http.securityMatcher("/downloadRedirect/**")
.authorizeHttpRequests(authorize -> authorize
.requestMatchers(new DownloadRedirectMatcher()).permitAll()
.anyRequest().authenticated()
);
return http.build();
}
DownloadRedirectMatcher 就像
public class DownloadRedirectMatcher implements org.springframework.security.web.util.matcher.RequestMatcher {
private static final Logger LOGGER = LoggerFactory.getLogger(DownloadRedirectMatcher.class);
@Override
public boolean matches(HttpServletRequest request) {
LOGGER.info("Custom matcher ************* {}", "public".equals(request.getHeader("X-Public")));
return ("public".equals(request.getHeader("X-Public")));
}
}
我所期待的:
这就像 publicDownloadRedirectFilter 从未被应用过。
再次尝试:
两个过滤器都带有 securityMatcher,类似
@Bean
@Order(1)
public SecurityFilterChain clientFilterChain(HttpSecurity http) throws Exception {
LOGGER.info("clientFilterChain - Initialized");
http.securityMatcher("/customer*")
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
);
// Client setting - shows the login screen
http.oauth2Login(withDefaults());
return http.build();
}
// And same publicDownloadRedirectFilter
但是现在的结果是
任何帮助将不胜感激。
这里的 Spring Security 6 配置可能会满足您的要求。请尝试让我们知道
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authz) -> authz
.requestMatchers("/", "/customer/**").permitAll() // Permit root and '/customer' paths
.requestMatchers(new DownloadRedirectMatcher()).permitAll()
.anyRequest().authenticated() // Authenticate everything else
);
return http.build();
}
}