java 如何仅为一个特殊路径 WebSecurityConfigurerAdapter 添加过滤器
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/45820372/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to add a filter only for one special path WebSecurityConfigurerAdapter
提问by BennX
We have a configuration which looks like this:
我们有一个如下所示的配置:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public static final String LOGIN_PATH_EXPRESSION = "/login";
public static final String API_PATH_EXPRESSION = "/api/**/*";
public static final String GLOBAL_PATH_EXPRESSION = "/**/*";
@Autowired
@Qualifier("ssoFilter")
private Filter ssoFilter;
@Autowired
private VerifyingProcessingFilter verifyingProcessingFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.userDetailsService(username -> new User(username, "", Collections.emptyList()))
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(LOGIN_PATH_EXPRESSION)
.authenticated()
.and()
.httpBasic()
.and()
.authenticationProvider(new SimpleAuthenticationProvider())
.authorizeRequests()
.antMatchers(API_PATH_EXPRESSION).authenticated()
.and()
.addFilterBefore(ssoFilter, BasicAuthenticationFilter.class)
.addFilterAfter(verifyingProcessingFilter, FilteredOAuth2AuthenticationProcessingFilter.class)
.authorizeRequests()
.antMatchers(GLOBAL_PATH_EXPRESSION)
.permitAll()
.and()
.csrf()
.disable();
}
And recognized that we end inside of the FilteredOAuth2AuthenticationProcessingFilterwithin a /logincall and asked ourself why this is happening.
并认识到我们在FilteredOAuth2AuthenticationProcessingFilter内部/login通话中结束并问自己为什么会发生这种情况。
The goal is to have the ssoFilterand the verifyingProcessingFilteronly applied when hitting an endpoint with the path api/**/*.
目标是在使用 path 击中端点时应用ssoFilter和verifyingProcessingFilter唯一应用api/**/*。
Right now we have to add a AntMatching check inside of the filter so it is only applied to the right request but i assume it should be possible to add it only to the matching requests.
现在我们必须在过滤器内添加一个 AntMatching 检查,因此它只应用于正确的请求,但我认为应该可以只将它添加到匹配的请求中。
Could someone provide an example on how to add a Filter to one specific Ant Matching path request?
有人可以提供一个关于如何向一个特定的 Ant 匹配路径请求添加过滤器的示例吗?
回答by jfneis
Looks like you can't do that with a single Configuration class. Take a look at this question: How to apply spring security filter only on secured endpoints?.
看起来您不能使用单个 Configuration 类来做到这一点。看看这个问题:How to apply spring security filter only onsecured endpoints?.
In this case, I think the better solution is to configure multiple HttpSecurity. From Spring IO documentation:
在这种情况下,我认为更好的解决方案是配置多个HttpSecurity。从Spring IO 文档:
We can configure multiple HttpSecurity instances just as we can have multiple blocks. The key is to extend the WebSecurityConfigurationAdapter multiple times. For example, the following is an example of having a different configuration for URL's that start with /api/.
我们可以配置多个 HttpSecurity 实例,就像我们可以有多个块一样。关键是多次扩展 WebSecurityConfigurationAdapter。例如,以下是对以 /api/ 开头的 URL 进行不同配置的示例。
The documentation has a full example with the necessary steps to accomplish this:
该文档有一个完整的示例,其中包含完成此操作的必要步骤:
- Configure Authentication as normal
- Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.
- The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/
- Create another instance of WebSecurityConfigurerAdapter. If the URL does not start with /api/ this configuration will be used. This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).
- 正常配置身份验证
- 创建一个包含@Order 的 WebSecurityConfigurerAdapter 实例,以指定应首先考虑哪个 WebSecurityConfigurerAdapter。
- http.antMatcher 声明此 HttpSecurity 仅适用于以 /api/ 开头的 URL
- 创建 WebSecurityConfigurerAdapter 的另一个实例。如果 URL 不以 /api/ 开头,则将使用此配置。此配置在 ApiWebSecurityConfigurationAdapter 之后被考虑,因为它在 1 之后有一个 @Order 值(没有 @Order 默认为最后一个)。
Good luck!
祝你好运!
