我正在尝试将“/api/auth/user-register”、“/api/auth/login”网址列入白名单,以便在没有任何身份验证的情况下通过。但是我的应用程序显示未经授权的处理程序在注册和登录请求映射中添加基本身份验证。我使用 Spring Boot 版本 3.0.0.
这是我的 SeciurityFilterChain 代码。我对请求使用基本身份验证。
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/api/auth/user-register", "/api/auth/login").permitAll()
.requestMatchers("/api/user/album/**", "/api/user/track/**", "/api/user/comment/**").hasAnyAuthority(UserLoginRole.USER.value())
.requestMatchers("/api/test/all/**").hasAnyAuthority(UserLoginRole.SUPER_ADMIN.value())
.requestMatchers("/api/user/comment/**").hasRole("ADMIN")
.requestMatchers("/api/admin/comment/**").hasAnyAuthority(UserLoginRole.ADMIN.value())
.anyRequest().authenticated()
);
http.cors().and().csrf().disable();
http.formLogin().disable();
http.httpBasic().realmName(REALM).authenticationEntryPoint(getBasicAuthEntryPoint());
http.authenticationProvider(authenticationProvider());
//http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
return http.build();
}
我在 Spring 文档中尝试了授权的 http 请求手册。
你应该添加@Configuration .
@配置 公共课安全{
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests().requestMatchers("/api/Say_goodbey").permitAll();
return http.build();
}
}
我尝试在不使用您的角色和权限方法的情况下使用您的代码,它工作正常(我只是将身份验证端点的名称更改为 /auth)
public class SecurityConfiguration {
@Bean
public PasswordEncoder encoder() {
return new BCryptPasswordEncoder();
}
@Bean
protected AuthFilter authFilter(){
return new AuthFilter();
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.cors().and().csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/auth").permitAll()
.requestMatchers("/api/user/album/**", "/api/user/track/**", "/api/user/comment/**").hasAnyAuthority("UserLoginRole.USER.value()")
.requestMatchers("/api/test/all/**").hasAnyAuthority("UserLoginRole.SUPER_ADMIN.value()")
.requestMatchers("/api/user/comment/**").hasRole("ADMIN")
.requestMatchers("/api/admin/comment/**").hasAnyAuthority("UserLoginRole.ADMIN.value()")
.requestMatchers("/users","/users/**").hasRole("USER")
.anyRequest().authenticated()
)
.addFilterBefore(authFilter(), UsernamePasswordAuthenticationFilter.class);
return http.build();
}
请添加整个配置类,并确保您添加了
@Configuration
和@EnableSecurity
注释。