我的spring-boot项目基于REST和JWT身份验证。现在我想为特定路径禁用JWT auth,而不是通过简单的用户名和密码进行身份验证。它可以实现吗?
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().exceptionHandling()
.authenticationEntryPoint(restAuthenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/login/**").permitAll()
.antMatchers("/register/**").permitAll()
.antMatchers("/api/jwt/**").authenticated()
.anyRequest().authenticated().and()
.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class).csrf().disable();
}
我想通过用户名和密码添加auth,例如" / api / data / **"。
编辑:
我的第一个配置@Order(1)
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password("abc").roles("ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/data/**").hasRole("ADMIN")
.and()
.httpBasic()
.and()
.csrf().disable();
}
它可以工作,但是当执行具有正确凭证到api / data / **的请求时,jwtAuthenticationFilter()也会触发。
答案 0 :(得分:0)
使用用户名和密码实现AuthenticationProvider类以进行自定义身份验证。然后使用身份验证提供程序,如 -
@Autowired
private AuthenticationProvider authenticationProvider;
@Autowired
@Override
protected void configure(
@NotNull AuthenticationManagerBuilder auth) {
auth.authenticationProvider(authenticationProvider);
}
@Override
protected void configure(
HttpSecurity http) throws
Exception {
http.requestMatchers()
.antMatchers("/api/data/**")
.and()
.authorizeRequests()
.anyRequest()
.permitAll()
.and()
.csrf()
.disable()
.formLogin().disable()
.and()
.authenticationProvider(authenticationProvider);
}