如何使用 jwt 为用户名和密码配置 webSecurity？

Question

我想配置服务器以使用 JWT 使用用户名和密码进行身份验证。我想只允许公开允许 sign-up 端点，其他端点需要登录。但显然注册端点仍然进入 JWTAuthenticationFilter 并返回 200 没有任何操作. 对于其余端点，它返回 403，而我期望 401。 下面是httpSecurity的配置：

private static final String SIGN_UP_URL = "/users/sign-up";

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable().authorizeRequests()
                .antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
                .anyRequest().authenticated()
                .and()
                .addFilter(new JWTAuthenticationFilter(authenticationManager()))
                .addFilter(new JWTAuthorizationFilter(authenticationManager()))
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

JWTAuthenticationFilter 扩展了 UsernamePasswordAuthenticationFilter
JWTAuthorizationFilter 扩展了 BasicAuthenticationFilter

编辑：这就是我的发布请求的样子：

@PostMapping("/sign-up")
    public ResponseEntity<AddUserResult> signUp(@RequestBody AddUserCommand command) {
        return new ResponseEntity<>(bus.executeCommand(command), HttpStatus.CREATED);
    }

Answer 1

您可以尝试以下方法，只需提及您希望在不进行身份验证的情况下加载的注册或登录 URL。在这种情况下，您无需任何身份验证即可访问该 URL。

同样在Controller方法中，如果不提@PreAuthorize注解就好了

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests().antMatchers("/auth/login").permitAll()
                .anyRequest().authenticated();

        http.csrf().disable();

        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        http.addFilterBefore(new JwtTokenFilter(userDetailsService), UsernamePasswordAuthenticationFilter.class);

    }

    @PostMapping(value = "/signup")
    public User signup(@RequestBody @Valid SignUpRequest signUpRequest) {
        return userService.signup(signUpRequest)
                .orElseThrow(() -> new HttpServerErrorException(HttpStatus.BAD_REQUEST, "User Already Exists"));
    }