弹簧安全根本不起作用

时间:2018-05-21 12:57:31

标签: spring spring-boot spring-security kotlin

我有以下配置:

@Configuration
@EnableWebSecurity
class SignInSecurityConfig(
        val authenticationEntryPoint: AppAuthenticationEntryPoint
) : WebSecurityConfigurerAdapter() {

    override fun configure(http: HttpSecurity) {
        http.cors().and().csrf().disable()
                .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint)
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers("/sign_in", "/users/sign_up").permitAll()
                .anyRequest().authenticated()

        http.addFilterBefore(JwtAuthorizationFilter(), UsernamePasswordAuthenticationFilter::class.java)
    }
}

目前,JwtAuthorizationFilter只是记录一些信息并调用chain.doFilter

现在,一些有趣的事情正在发生:

1)当我致电/users/sign_up注册过程被触发时,尝试注册用户,如果成功,则返回201,如果不成功,则返回401而不是500 (在我的情况下,我想要返回500)

2)当我致电/sign_in时,我只是得到401,没有错误,没有记录,没有。

3)JwtAuthorizationFilter虽然位于过滤器列表中,但从不会被调用。

4)过滤器链看起来很奇怪:

2018-05-21 14:58:22.318  INFO 2339 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/users/sign_up'], []
2018-05-21 14:58:22.484  INFO 2339 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@46b2cadf, org.springframework.security.web.context.SecurityContextPersistenceFilter@e41e9a9, org.springframework.security.web.header.HeaderWriterFilter@733dea73, org.springframework.security.web.csrf.CsrfFilter@59140203, org.springframework.security.web.authentication.logout.LogoutFilter@6e8e5936, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@52fb6fa5, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@497c75f3, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@10a4663e, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2cfbcfd6, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5aa01db1, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@fe39081, org.springframework.security.web.session.SessionManagementFilter@47da14ce, org.springframework.security.web.access.ExceptionTranslationFilter@376d0f3a, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@797b0e0c]

为什么会发生这种情况?

我正在使用Spring Boot 2.0.2和默认依赖版本

1 个答案:

答案 0 :(得分:0)

尝试

.antMatchers(HttpMethod.GET,"/sign_in").permitAll().and()
.antMatchers(HttpMethod.GET, "/users/sign_up").permitAll().and()
.anyRequest().authenticated()