这是一个 Java Spring boot 应用程序。 我想排除特定的 url 模式以不应用任何安全配置。我有一个自定义安全过滤器,但它始终适用于排除的特定 url 模式。 我没有在应用程序中设置任何应用程序上下文
我想忽略任何以“/sample”和“/soap”开头的请求。
@Configuration
@EnableWebSecurity
public class APIWebSecurityConfiguration {
// false
@Value("${spring.security.setting.csrf-enable}")
private boolean IS_CSRF_ENABLED;
// true
@Value("${spring.security.setting.stateless-enable}")
private boolean IS_STATELESS_ENABLED;
private APIAuthenticationExceptionHandler apiAuthenticationExceptionHandler;
private DefaultHeaderAuthenticationFilter defaultHeaderAuthenticationFilter;
@Autowired
public void setup(APIAuthenticationExceptionHandler apiAuthenticationExceptionHandler,
DefaultHeaderAuthenticationFilter defaultHeaderAuthenticationFilter) {
this.apiAuthenticationExceptionHandler = apiAuthenticationExceptionHandler;
this.defaultHeaderAuthenticationFilter = defaultHeaderAuthenticationFilter;
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// enable CORS and disable CSRF
http = http.cors().disable();
if (!IS_CSRF_ENABLED) {
http = http.csrf().disable();
}
// disable form login
http = http.formLogin().disable();
if (IS_STATELESS_ENABLED) {
// set session management to stateless
http = http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and();
if (IS_CSRF_ENABLED) {
http = http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and();
}
} else {
// handle stateful / not stateless case
http.sessionManagement().sessionFixation().migrateSession().and();
}
// set unauthorized requests exception handler
http = http
.exceptionHandling()
.authenticationEntryPoint(apiAuthenticationExceptionHandler)
.accessDeniedHandler(apiAuthenticationExceptionHandler)
.and();
// secure all endpoint
http = http
.authorizeRequests().antMatchers("/**/sample/**", "/**/soap/**").permitAll()
.and()
.authorizeRequests().anyRequest().authenticated()
.and();
http = http.httpBasic().disable();
http.addFilter(defaultHeaderAuthenticationFilter);
return http.build();
}
}
@Component
public class DefaultHeaderAuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter {
private DefaultHeaderAuthenticationManager defaultHeaderAuthenticationManager;
private APIAuthenticationExceptionHandler apiAuthenticationExceptionHandler;
@Autowired
public void setup(DefaultHeaderAuthenticationManager defaultHeaderAuthenticationManager,
APIAuthenticationExceptionHandler apiAuthenticationExceptionHandler) {
this.defaultHeaderAuthenticationManager = defaultHeaderAuthenticationManager;
this.apiAuthenticationExceptionHandler = apiAuthenticationExceptionHandler;
}
@PostConstruct
public void postConstruct() {
setAuthenticationManager(defaultHeaderAuthenticationManager);
setAuthenticationFailureHandler(apiAuthenticationExceptionHandler);
}
}
@Component
public class DefaultHeaderAuthenticationManager implements AuthenticationManager {
/**
*
* @param authentication the authentication request object
* @return true: if the authentication checking can pass, else false
* @throws AuthenticationException
*/
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
// do sth
}
}
非常感谢
当我注释掉
http.addFilter(defaultHeaderAuthenticationFilter);
时,应用程序可以成功执行请求,但是 defaultHeaderAuthenticationFilter 没有做任何事情,因为它被注释了。
我还尝试了 here 的不同语法。
当 url 模式包含“/sample”和“/soap”时,我想绕过 defaultHeaderAuthenticationFilter。