我目前正在将我们的服务迁移到 Spring Boot 3 和 Spring Security 6。
在这样做时,我目前遇到的问题是,我只想为一组端点建立一个过滤器:
SecurityFilterChain internalEndpointsFilterChain(HttpSecurity http) {
http.csrf().disable()
.sessionManagement().sessionCreationPolicy(STATELESS)
.and()
.antMatcher("/cache/**") <<<-- Problem
.addFilterBefore(sharedSecretAuthenticationFilter(), ExceptionTranslationFilter)
.exceptionHandling({ exceptionHandling ->
exceptionHandling.authenticationEntryPoint(new UnauthorizedAuthenticationEntryPoint())
})
.authorizeRequests({ authorizeRequests ->
authorizeRequests.anyRequest().fullyAuthenticated()
})
.build()
}
当我迁移此处所做的任何更改时,这些端点总是会收到 401。
我的尝试:
http.csrf { it.disable() }
.sessionManagement { it.sessionCreationPolicy(STATELESS) }
.securityMatcher("/cache/**")
.addFilterBefore(sharedSecretAuthenticationFilter(), ExceptionTranslationFilter)
.exceptionHandling({ exceptionHandling ->
exceptionHandling.authenticationEntryPoint(new UnauthorizedAuthenticationEntryPoint())
})
.authorizeHttpRequests({ authorizeRequests ->
authorizeRequests
.anyRequest().fullyAuthenticated()
})
.build()
知道我做错了什么吗?
如果问题出在迁移中,并且在您完成之前一切都运行良好,则问题出在
internalEndpointsFilterChain
配置中。
您可以尝试下一个实现吗?如果对您有帮助,请给我反馈。
@Bean
SecurityFilterChain internalEndpointsFilterChain(HttpSecurity http) throws Exception {
http.csrf(AbstractHttpConfigurer::disable);
http.sessionManagement(sessionAuthenticationStrategy ->
sessionAuthenticationStrategy.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
http.authorizeHttpRequests(authorizeRequests ->
authorizeRequests.anyRequest().fullyAuthenticated());
http.addFilterBefore(sharedSecretAuthenticationFilter(), ExceptionTranslationFilter.class);
http.exceptionHandling(exception -> exception.authenticationEntryPoint(new UnauthorizedAuthenticationEntryPoint()));
return http.build();
}