我们有一个API服务,其中公开了多个API,并且有多个角色可以访问我们的服务。
我试图为每种身份验证类型设置 AuthenticationWebFilter ,并使用Pathmatchers进行配置,尽管它已通过正确的身份验证Web过滤器进行了身份验证,但请求仍在其他身份验证过滤器中流动,并结束结果为unauthorized
。
配置摘要:
public class Configuration {
@Bean
@Order(1)
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity httpSecurity,
@Qualifier("userCreationFilter")
AuthenticationWebFilter userCreationFilter) {
final String[] WHITELISTED_URLS = {"/**.json",
"/users/verify",
"/users/permit",
"/sessions",
"/internal/xxxxx/**",
"/**.html",
"/**.js",
"/**.yaml",
"/**.css",
"/**.png"};
httpSecurity.authorizeExchange().pathMatchers(WHITELISTED_URLS).permitAll();
httpSecurity.addFilterBefore(userCreationFilter, SecurityWebFiltersOrder.AUTHENTICATION)
.authorizeExchange()
.pathMatchers("/users")
.authenticated();
httpSecurity.httpBasic().disable().formLogin().disable().csrf().disable().logout().disable();
return httpSecurity.build();
}
@Bean
@Order(2)
public SecurityWebFilterChain securityWebFilterChain2(ServerHttpSecurity httpSecurity,
@Qualifier("managerFilter")
AuthenticationWebFilter managerFilter) {
httpSecurity.addFilterBefore(managerFilter, SecurityWebFiltersOrder.AUTHENTICATION)
.authorizeExchange()
.pathMatchers("/xxxxx/**",
"/providers",
"/xxxxx/**/approve",
"/xxxx/**/xxxxx").authenticated();
return httpSecurity.build();
}
}
目前,我们没有这样的角色。
我尝试将所有配置保留在单个SecurityWebFilterChain Bean中,并尝试使用addWebFilterAt,但是没有运气。
我想念什么?我应该用其他方式吗?