我正在尝试在扩展WebSecurityConfigurerAdapter的配置类中为JWT令牌配置自定义身份验证筛选器。
我当前的配置是这样
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(authenticationFilter(), BasicAuthenticationFilter.class)
.authenticationProvider(provider())
.authorizeRequests()
.antMatchers("/register**").permitAll()
.antMatchers("/login*").permitAll()
.antMatchers(HttpMethod.GET,"/api/books**").permitAll()
.antMatchers(HttpMethod.PUT,"/api/books**").authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
;
}
authenticationFilter()返回我的JWTAuthenticationFilter的实例
JWTAuthenticationFilter扩展了AbstractAuthenticationProcessingFilter。
我没有得到的是AbstractAuthenticationProcessingFilter的requireAuthentication方法只是根据提供的requireAuthenticationRequestMatcher检查请求路径。
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
return this.requiresAuthenticationRequestMatcher.matches(request);
}
RequiresAuthenticationRequestMatcher是AbstractAuthenticationProcessingFilter的构造函数参数。现在,覆盖requireAuthentication方法并在此处指定相关路径并不是什么大问题,但是我觉得合适的地方应该是我的配置类。我的问题是
有什么意义.addFilterBefore(authenticationFilter(), BasicAuthenticationFilter.class)
.authenticationProvider(provider())
.authorizeRequests()
.antMatchers("/register**").permitAll()
.antMatchers("/login*").permitAll()
.antMatchers(HttpMethod.GET,"/api/books**").permitAll()
.antMatchers(HttpMethod.PUT,"/api/books**").authenticated()
无论如何我是否必须实现“ requiresAuthentication”?我是配置错误还是使用自定义AuthenticationFilters,相关路径应始终在过滤器中定义?