You are asking Spring Security to ignore Ant(xx) This is not recommended, please use permitAll... 处理

in illusion.

已于 2022-04-07 16:31:36 修改

阅读量1.4w

点赞数 6

分类专栏： Spring Security 文章标签： spring spring boot 后端 web安全

于 2022-04-07 16:22:24 首次发布

本文链接：https://blog.csdn.net/Z_Li_Vic/article/details/124018058

版权

Spring Security 专栏收录该内容

1 篇文章

订阅专栏

Spring Security之ignore not recommended 警告的处理

启动springboot项目时，出现一个warning：
You are asking Spring Security to ignore Ant(xxx) This is not recommended – please use permitAll via HttpSecurity#authorizeHttpRequests instead.

经查，是在Spring Security configuration类中，写了如下代码：

    @Override
    public void configure(WebSecurity web) throws Exception {
       web
                .ignoring().antMatchers("/js/**","/css/**","/jQuery/**","/images/**","/icon/**","/file/**");  
    }

此段代码是一开始配置spring security时，为了解决静态资源（js/css/图片等）被拦截器拦截的问题写的，也是网上搜索出来的标准答案。由warning提示可见，当前版本，这种配置形式已经不再推荐了。（deprecated？）

当前推荐的，应当写在HttpSecurity的配置里，即：

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .addFilterBefore(normalAuthenticationProcessingFilter(), AbstractPreAuthenticatedProcessingFilter.class) //注册用于普通登录请求的过滤器
                .authorizeRequests()
                .antMatchers(
                        "/about","/login/**","/login","/error",                                 //排除不需spring security验证的页面
                        "/js/**","/css/**","/jQuery/**","/images/**","/icon/**","/file/**").permitAll()    //解决静态资源被拦截的问题(新，写在这里)
                .anyRequest().fullyAuthenticated()  //若要给应用程序发送请求，则发送请求的用户必须先通过认证

                .and()
                ...