我有一个Spring Security配置,可以通过读取特定的标头值来“认证”用户。因此,使用RequestHeaderAuthenticationFilter():
private RequestHeaderAuthenticationFilter requestHeaderFilter() throws Exception {
RequestHeaderAuthenticationFilter authenticationFilter = new RequestHeaderAuthenticationFilter();
authenticationFilter.setPrincipalRequestHeader("user");
authenticationFilter.setAuthenticationManager(this.authenticationManager());
return authenticationFilter;
}
private static final String HEALTH_PATH_NOAUTH = "/actuator/health";
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(HEALTH_PATH_NOAUTH);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors();
http.authorizeRequests().anyRequest().authenticated();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilter(requestHeaderFilter());
}
我需要从安全性中排除某些路径:“ / actuator / health” 首先,我尝试通过配置HttpSecurity来“ permitAll”:
http.authorizeRequests().antMatchers(HEALTH_PATH_NOAUTH).permitAll().anyRequest().authenticated();
但是,正如您在第一个清单中看到的那样,这既没有帮助也没有帮助覆盖“ WebSecurity”。 如果未设置标头,则RequestHeaderAuthenticationFilter总是抛出异常。我希望抛出此异常,但不希望出现此特定路径。
如何解决这个问题?
更新:我删除了“ bean”并将方法设为私有,但这没什么区别-web.ignoring().antMatchers(HEALTH_PATH_NOAUTH);应该起作用,无论任何过滤器显式添加或作为bean甚至两次添加-对吗?