SpringSecurity过滤指定url【.antMatchers(***).permitAll()】失效问题

SpringSecurity过滤指定url【.antMatchers(***).permitAll()】失效问题

问题描述

在使用SpringSecurity作为后端验证框架时，遇到配置一些接口不需要token验证，直接放行，但是配置之后没有生效，一直究其原因。

项目配置

1. 因为要进行登录认证，就放行了一部分url无需认证权限控制。
2. 然后其他的所有url都需要进行认证权限控制。
3. 配置代码如下：
   配置的忽略验证的路径，下面是已经修改后的配置，startWith配置的忽略路径url去除配置的请求前缀/todo

server:
  tomcat:
    uri-encoding: UTF-8
    max-threads: 1000
    min-spare-threads: 30
    connection-timeout: 5000ms
  port: 8088
  servlet:
    context-path: /todo
security:
  oauth2:
    ignore:
      authentication:
        startWith: /oauth/**,/rsa/**,/open/**,/druid/**,/redis/deduct/**,/todoUser/singleLogin,/todoUser/mingleLogin

package com.cn.sharedframework.Config.oauth;

import com.cn.sharedframework.Oauth2.OauthUserDetailsService;
import com.cn.sharedframework.Oauth2.granter.MobileAuthenticationProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

import java.util.ArrayList;
import java.util.List;

/**
 - spring security配置类
 -  3. @author qianshijiang
 - @date 2021-12-01 16:06
 - @description:
 */
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebServerSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private OauthUserDetailsService userDetailsService;

    @Autowired
    private SecurityOauth2Properties securityOauth2Properties;

    // 忽略一些静态资源
    @Override
    public void configure(WebSecurity web) throws Exception {
        List<String> ignoreUrlList = new ArrayList<>();
        ignoreUrlList.add("/**/*.js");
        ignoreUrlList.add("/**/*.css");
        ignoreUrlList.add("/**/*.jpg");
        ignoreUrlList.add("/**/*.png");
        ignoreUrlList.add("/**/*.ico");
        ignoreUrlList.add("/**/*.gif");
        ignoreUrlList.add("/swagger-ui.html");
        ignoreUrlList.add("/webjars/**");
        ignoreUrlList.add("/v2/**");
        ignoreUrlList.add("/swagger-resources/**");
        String[] ignoreUrls = ignoreUrlList.toArray(new String[ignoreUrlList.size()]);
        web.ignoring().antMatchers(ignoreUrls);
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers(securityOauth2Properties.getStartWith()).permitAll()
            .anyRequest().authenticated() // 这里将其他所有的请求都放行，交给Oauth去处理
            .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and().csrf().disable();
    }

    /**
     * 注入自定义的userDetailsService实现，获取用户信息，设置密码加密方式
     *
     * @param authenticationManagerBuilder
     * @throws Exception
     */
    @Override
    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder
                .userDetailsService(userDetailsService)
                .passwordEncoder(passwordEncoder());
        // 设置手机验证码登陆的AuthenticationProvider
        authenticationManagerBuilder.authenticationProvider(mobileAuthenticationProvider());
    }

    /**
     * 将 AuthenticationManager 注册为 bean , 方便配置 oauth server 的时候使用
     */
    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    /**
     * 创建手机验证码登陆的AuthenticationProvider
     *
     * @return mobileAuthenticationProvider
     */
    @Bean
    public MobileAuthenticationProvider mobileAuthenticationProvider() {
        MobileAuthenticationProvider mobileAuthenticationProvider = new MobileAuthenticationProvider(this.userDetailsService);
        mobileAuthenticationProvider.setPasswordEncoder(passwordEncoder());
        return mobileAuthenticationProvider;
    }

    public static void main(String[] args){
        BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
        System.out.println(bCryptPasswordEncoder.encode("todo-server-secret-key"));
    }
}

• Postmain测试接口发现如下提示
  

发现问题一直困扰，最终找到解决方案。

• 在网上找了大量资料发现，SpringSecurity认证忽略的url是不能包含context前缀的，否则匹配不上。
• SpringSecurity认证忽略的url是不能包含context前缀的，否则匹配不上。
• SpringSecurity认证忽略的url是不能包含context前缀的，否则匹配不上。