我想要在没有运行身份验证过滤器的情况下离开(GetMapping( "/testendpoint" ))端点。但无论我做什么,它仍然会调用过滤器并将其拒绝为401,因为标题中没有Jwt。
注意:它只调用一次过滤器。
如何使其不安全并防止其调用过滤器?
@EnableWebSecurity
@Import( { Config.class } )
@EnableConfigurationProperties( { JwtProperties.class } )
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
@Autowired
private JwtProperties jwtProperties;
@Override
public void configure(WebSecurity web) throws Exception
{
web.ignoring()
.antMatchers( "/swagger-ui.html" ) //This goes through without security
.antMatchers( "/metrics" ) //This calls the filter
.antMatchers( "/testendpoint" ); //This calls the filter
}
@Override
protected void configure(HttpSecurity http) throws Exception
{
JWTAuthenticationFilter jwtAuthenticationFilter = new JWTAuthenticationFilter( jwtProperties );
ExceptionHandlerFilter exceptionHandlerFilter = new ExceptionHandlerFilter();
http.csrf().disable().authorizeRequests()
.antMatchers( "/" ).permitAll()
.antMatchers( "/testendpoint" ).permitAll() //Doesn't stop the filter
.and()
.addFilterAfter( jwtAuthenticationFilter, BasicAuthenticationFilter.class )
.addFilterBefore( exceptionHandlerFilter, JWTAuthenticationFilter.class );
/* Adding the below also did not work
.authorizeRequests()
.antMatchers( "/testendpoint/**" ).permitAll();
*/
}
}
我的终点是执行器终点:
@Configuration
@ManagementContextConfiguration
@CacheController
public class TestController extends AbstractMvcEndpoint
{
@GetMapping( value = "/testendpoint", produces = MediaType.APPLICATION_JSON_UTF8_VALUE )
public String getSomething(HttpServletRequest request) throws Exception
{
return "hello";
}
}
答案 0 :(得分:0)
如果您有在测试期间使用的端点,只需将其放在src/test/java而不是src/main/java。这样,它将仅在测试阶段自动装配,并且不会出现在生产代码中。
这样您就可以跳过生产弹簧安全配置中的忽略配置。