JWTAuthorizationFilter同时适用于两个安全配置antMatchers

时间:2018-12-11 11:27:10

标签: spring spring-boot spring-security

我正在使用多个安全配置类

 @Configuration
    @EnableWebSecurity
    @Slf4j
    public class SecurityConfig {

@Configuration
@Order(2)
public static class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Bean
public UserDetailsService userDetailsService() {
    return new CustomUserDetailsService();
}

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}


@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService()).passwordEncoder(passwordEncoder());
}


@Autowired
private LoggingAccessDeniedHandler accessDeniedHandler;

// @formatter:off

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/", "/login", "/logout" , "/user/forgot-pwd" , "/user/forgot-pwd/success" ,"/swagger-ui.html").permitAll()
            .antMatchers("/css/**", "/js/**", "/images/**", "/favicon.ico", "/webjars/**", "/vendor/**", "/error/**").permitAll()
            .anyRequest().fullyAuthenticated()
            .and()
                .formLogin()
                    .loginProcessingUrl("/authenticate")
                    .loginPage("/login")
                    .defaultSuccessUrl("/studylist")
                    .failureUrl("/login?error=true")
                    .usernameParameter("username")
                    .passwordParameter("password")
            .and()
                .logout()
                    .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                    .logoutSuccessUrl("/login?logout=true")
                    .invalidateHttpSession(true)
                    .clearAuthentication(true)
                    .deleteCookies("JSESSIONID")
            .and()
                .exceptionHandling()
                    .accessDeniedHandler(accessDeniedHandler)
            .and()
                .csrf()
            .and()
                .sessionManagement()
                    .invalidSessionUrl("/login")
                    .sessionAuthenticationErrorUrl("/login")
            .and()
                .headers()
                    .frameOptions()
                    .sameOrigin();
}



    // @formatter:on

    }

    @Configuration
@Order(1)
public static class RestSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {


        http.antMatcher("/api/**").addFilter(jWTAuthorizationFilter()).httpBasic();


    }

    @Bean
    public JWTAuthorizationFilter jWTAuthorizationFilter() {

        JWTAuthorizationFilter filter = null;
        try {
            filter = new JWTAuthorizationFilter(authenticationManager());
        } catch (Exception e) {
            e.printStackTrace();
        }

        return filter;
    }


}

我只想将JWTAuthorizationFilter应用于RestSecurityConfig中存在的URL / api / **。但是在上述情况下,它也适用于WebSecurityConfig中存在的所有antMatcher。如何避免呢?

注意:
1)我也尝试过使用FilterRegistrationBean并将其禁用为false,但是我面临着同样的问题。我已经引用了该链接,其中说使用FilterRegistrationBean。

http://blog.florian-hopf.de/2017/08/spring-security.html

2)我正在使用硬编码令牌,这就是为什么我没有在RestSecurityConfig中添加任何身份验证筛选器的原因。

我想念什么?

先谢谢了!!!!

0 个答案:

没有答案
相关问题
最新问题