弹簧过滤器无法绕过某些请求

时间:2020-05-22 22:43:31

标签: java spring-boot spring-mvc spring-security jwt 

@EnableWebSecurity
public class SecurityTokenConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .csrf().disable()
        // make sure we use stateless session; session won't be used to store user's state.
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)     
    .and()
        // handle an authorized attempts 
        .exceptionHandling().authenticationEntryPoint((req, rsp, e) -> rsp.sendError(HttpServletResponse.SC_UNAUTHORIZED))  
    .and()
       // Add a filter to validate the tokens with every request
       .addFilterBefore(new JwtTokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
    // authorization requests config
    .authorizeRequests()
       // allow all who are accessing "auth" service
       .antMatchers(HttpMethod.POST, "/${basePath:/}${version:/}/session/**").permitAll()  
       // must be an admin if trying to access admin area (authentication is also required here)
       // Any other request must be authenticated
       .anyRequest().authenticated(); 

}

}

上述过滤器无法允许/ session请求绕过'JwtTokenAuthenticationFilter'。

有人知道这是什么问题吗?

1 个答案:

答案 0 :(得分:0)

您可以通过覆盖configure(WebSecurity)这样的另一种方法来实现它:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("**/session/**");
}

并删除antMatchers(HttpMethod.POST, "/${basePath:/}${version:/}/session/**").permitAll()

相关问题
最新问题