我为令牌认证AuthenticationTokenFilter创建了一个自定义过滤器,并由OncePerRequestFilter进行了扩展。我在SecurityConfig中将一些API配置为白名单API,对于这些白名单Apis,我试图绕过AuthenticationTokenFilter。
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.BASIC_AUTH_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationTokenFilter authenticationTokenFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().
regexMatchers("^(?!/webjars/).*",
"^(?!/swagger-resources/).*",
"^(?!/swagger-ui.html).*").permitAll().
antMatchers("/healthcheck/ping",
"/user" + ApiMapper.SIGN_IN_API,
"/user" + ApiMapper.FORGET_PASSWORD,
"/user" + ApiMapper.SIGN_OUT_API,
ApiMapper.SWAGGER_RESOURCE,
ApiMapper.FAVICON_ICO,
ApiMapper.APP_ENDPOINTS).permitAll().
anyRequest().authenticated().
and().
// If user isn't authorised to access a path...
exceptionHandling().
// ...redirect them to /403
accessDeniedPage("/403").
and().
anonymous().disable();
http.addFilterBefore(authenticationTokenFilter, BasicAuthenticationFilter.class);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().
regexMatchers("^(?!/webjars/).*").
regexMatchers("^(?!/swagger-resources/).*").
regexMatchers("^(?!/swagger-ui.html/).*").
antMatchers("/healthcheck/ping",
"/user" + ApiMapper.SIGN_IN_API,
"/user" + ApiMapper.FORGET_PASSWORD,
"/user" + ApiMapper.SIGN_OUT_API,
ApiMapper.SWAGGER_RESOURCE + "/.*",
ApiMapper.FAVICON_ICO,
ApiMapper.APP_ENDPOINTS);
}
}
我找到了类似的答案here,但是我已经忽略了WebSecurity的配置。所以,为什么我需要在Filter级别上写同样的内容。
哪里我做错了,或者我处在错误的环境中。