Spring Security permitAll 不适用于某些端点

【问题标题】:Spring Security's permitAll doesn't work for certain endpointsSpring Security permitAll 不适用于某些端点
【发布时间】:2019-03-08 22:56:53
【问题描述】:

我有

@Configuration
@EnableWebSecurity

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .authorizeRequests()
                .antMatchers(HttpMethod.POST, "/api/v1/account/import").permitAll()
                .anyRequest().authenticated()
                .and()
            .addFilterBefore(new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
    }

我希望所有用户都可以访问/api/v1/account/import 而无需任何 JWT 令牌检查。对于所有其他端点,我希望在 JWTAuthenticationFilter 类中进行 JWT 令牌检查。我尝试了许多不同的场景,但都失败了。我总是联系JWTAuthenticationFilter。如果我去/api/v1/account/import,我不想去JWTAuthenticationFilter

我的控制器:

@RestController
@RequestMapping(value = "/api/v1/account")
public class AccountController {

    private final AccountService accountService;

    public AccountController(final AccountService accountService) {
        this.accountService = accountService;
    }

    @PostMapping(path = "/import")
    @ResponseStatus(HttpStatus.ACCEPTED)
    public String importAccount(@Valid @RequestBody final ImportAccountDto importAccountDto) {
        return this.accountService.importAccount(importAccountDto);
    }

我的 JWT 过滤器:

public class JWTAuthenticationFilter extends GenericFilterBean {

    @Override
    public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain filterChain) throws IOException, ServletException {

        final HttpServletRequest request = (HttpServletRequest) req;
        final HttpServletResponse response = (HttpServletResponse) res;
        final String token = request.getHeader("Authorization");

        final JJWTService jjwtService = new JJWTService();

        if (token == null || !jjwtService.parseJWTToken(token)) {
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        } else {
            filterChain.doFilter(req, res);
        }
    }

我的测试:

@RunWith(SpringRunner.class)
@SpringBootTest
@AutoConfigureMockMvc
public class AccountIT {

    @Autowired
    MockMvc mockMvc;

    @Autowired
    private AccountRepository accountRepository;

    @Test
    public void importAccount() throws Exception {

        this.mockMvc.perform(post("/api/v1/account/import")
                .contentType(MediaType.APPLICATION_JSON)
                .content(toJson(importAccountDto)))
                .andExpect(status().isAccepted())
                .andReturn();
    }

【问题讨论】:

    标签: java spring-mvc spring-security jwt


    【解决方案1】:

    试试这个

    if (!request.getRequestURI().contains("/api/v1/account/import")) {
    final JJWTService jjwtService = new JJWTService();

    if (token == null || !jjwtService.parseJWTToken(token)) {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
    } else {
        filterChain.doFilter(req, res);
    }
}

    【讨论】:

      猜你喜欢
      • 2020-08-21
      • 2019-04-26
      • 1970-01-01
      • 2021-01-20
      • 2016-02-16
      • 2022-12-05
      • 1970-01-01
      • 2019-03-10
      • 2021-05-05
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode