SpringSecurity过滤指定url【.antMatchers(***).permitAll()】失效问题
问题描述
在使用SpringSecurity作为后端验证框架时,遇到配置一些接口不需要token验证,直接放行,但是配置之后没有生效,一直究其原因。
项目配置
- 因为要进行登录认证,就放行了一部分url无需认证权限控制。
- 然后其他的所有url都需要进行认证权限控制。
- 配置代码如下:
配置的忽略验证的路径,下面是已经修改后的配置,startWith配置的忽略路径url去除配置的请求前缀/todo
server:
tomcat:
uri-encoding: UTF-8
max-threads: 1000
min-spare-threads: 30
connection-timeout: 5000ms
port: 8088
servlet:
context-path: /todo
security:
oauth2:
ignore:
authentication:
startWith: /oauth/**,/rsa/**,/open/**,/druid/**,/redis/deduct/**,/todoUser/singleLogin,/todoUser/mingleLogin
package com.cn.sharedframework.Config.oauth;
import com.cn.sharedframework.Oauth2.OauthUserDetailsService;
import com.cn.sharedframework.Oauth2.granter.MobileAuthenticationProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import java.util.ArrayList;
import java.util.List;
/**
- spring security配置类
- 3. @author qianshijiang
- @date 2021-12-01 16:06
- @description:
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebServerSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private OauthUserDetailsService userDetailsService;
@Autowired
private SecurityOauth2Properties securityOauth2Properties;
// 忽略一些静态资源
@Override
public void configure(WebSecurity web) throws Exception {
List<String> ignoreUrlList = new ArrayList<>();
ignoreUrlList.add("/**/*.js");
ignoreUrlList.add("/**/*.css");
ignoreUrlList.add("/**/*.jpg");
ignoreUrlList.add("/**/*.png");
ignoreUrlList.add("/**/*.ico");
ignoreUrlList.add("/**/*.gif");
ignoreUrlList.add("/swagger-ui.html");
ignoreUrlList.add("/webjars/**");
ignoreUrlList.add("/v2/**");
ignoreUrlList.add("/swagger-resources/**");
String[] ignoreUrls = ignoreUrlList.toArray(new String[ignoreUrlList.size()]);
web.ignoring().antMatchers(ignoreUrls);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers(securityOauth2Properties.getStartWith()).permitAll()
.anyRequest().authenticated() // 这里将其他所有的请求都放行,交给Oauth去处理
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().csrf().disable();
}
/**
* 注入自定义的userDetailsService实现,获取用户信息,设置密码加密方式
*
* @param authenticationManagerBuilder
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder());
// 设置手机验证码登陆的AuthenticationProvider
authenticationManagerBuilder.authenticationProvider(mobileAuthenticationProvider());
}
/**
* 将 AuthenticationManager 注册为 bean , 方便配置 oauth server 的时候使用
*/
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
/**
* 创建手机验证码登陆的AuthenticationProvider
*
* @return mobileAuthenticationProvider
*/
@Bean
public MobileAuthenticationProvider mobileAuthenticationProvider() {
MobileAuthenticationProvider mobileAuthenticationProvider = new MobileAuthenticationProvider(this.userDetailsService);
mobileAuthenticationProvider.setPasswordEncoder(passwordEncoder());
return mobileAuthenticationProvider;
}
public static void main(String[] args){
BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
System.out.println(bCryptPasswordEncoder.encode("todo-server-secret-key"));
}
}
- Postmain测试接口发现如下提示
发现问题一直困扰,最终找到解决方案。
- 在网上找了大量资料发现,SpringSecurity认证忽略的url是不能包含context前缀的,否则匹配不上。
- SpringSecurity认证忽略的url是不能包含context前缀的,否则匹配不上。
- SpringSecurity认证忽略的url是不能包含context前缀的,否则匹配不上。
![Linux学习[15]bash学习深入1---bash的功能---变量详解](https://img-blog.csdnimg.cn/913e214c4243444aa650209e8d104b5f.png)
