尽管web.ignoring()。antMatchers(),为什么我的过滤器仍在此端点上被调用?

时间:2018-01-26 05:56:43

标签: java spring spring-boot spring-security spring-boot-actuator

我想要在没有运行身份验证过滤器的情况下离开(GetMapping( "/testendpoint" ))端点。但无论我做什么,它仍然会调用过滤器并将其拒绝为401,因为标题中没有Jwt。

注意:它只调用一次过滤器。

如何使其不安全并防止其调用过滤器?

@EnableWebSecurity
@Import( { Config.class } )
@EnableConfigurationProperties( { JwtProperties.class } )
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
    @Autowired
    private JwtProperties jwtProperties;

    @Override
    public void configure(WebSecurity web) throws Exception
    {
        web.ignoring()
            .antMatchers( "/swagger-ui.html" ) //This goes through without security
            .antMatchers( "/metrics" ) //This calls the filter
            .antMatchers( "/testendpoint" ); //This calls the filter
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        JWTAuthenticationFilter jwtAuthenticationFilter = new JWTAuthenticationFilter( jwtProperties );
        ExceptionHandlerFilter exceptionHandlerFilter = new ExceptionHandlerFilter();
        http.csrf().disable().authorizeRequests()
            .antMatchers( "/" ).permitAll()
            .antMatchers( "/testendpoint" ).permitAll() //Doesn't stop the filter
            .and()
            .addFilterAfter( jwtAuthenticationFilter, BasicAuthenticationFilter.class )
            .addFilterBefore( exceptionHandlerFilter, JWTAuthenticationFilter.class );
            /* Adding the below also did not work
            .authorizeRequests()
            .antMatchers( "/testendpoint/**" ).permitAll();
            */
    }
}

我的终点是执行器终点:

@Configuration
@ManagementContextConfiguration
@CacheController
public class TestController extends AbstractMvcEndpoint
{
    @GetMapping( value = "/testendpoint", produces = MediaType.APPLICATION_JSON_UTF8_VALUE )
    public String getSomething(HttpServletRequest request) throws Exception
    {
        return "hello";
    }
}

1 个答案:

答案 0 :(得分:0)

如果您有在测试期间使用的端点,只需将其放在src/test/java而不是src/main/java。这样,它将仅在测试阶段自动装配,并且不会出现在生产代码中。

这样您就可以跳过生产弹簧安全配置中的忽略配置。