我有一个只暴露REST API的Spring Boot应用程序.我需要保护它并且我使用基于令牌的方法 – 特别是JWT.
到目前为止,这是我实施的:
//
// The Spring Security configuration class
@EnableGlobalAuthentication
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/api/login", "/api/logout").permitAll()
.antMatchers("/api/**").authenticated()
.anyRequest().authenticated()
.and()
.addFilterBefore(new JwtFilter(), BasicAuthenticationFilter.class)
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
//
// The JWT filter class to check for the token in the HTTP request (headers)
public final class JwtFilter extends GenericFilterBean {
private final Logger logger = LoggerFactory.getLogger(this.getClass());
@Override
public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws
IOException, ServletException {
final HttpServletRequest req = (HttpServletRequest)request;
final String header = req.getHeader("Authorization");
logger.debug("{} {}", req.getMethod(), req.getRequestURI());
if ((null == header) || !header.startsWith("Bearer ")) {
logger.debug("Missing or invalid Authorization header");
}
try {
// Check the token here; the implementation is not relevant here
/*SecurityContextHolder.getContext()
.setAuthentication(manager.authenticate(new JwtToken(JWTParser.parse(header.substring(7)))));*/
chain.doFilter(request, response);
} catch (final AuthenticationException e) {
SecurityContextHolder.clearContext();
// Do some other stuff here
} catch (final ParseException e) { /* ... */ }
}
}
问题是过滤器对每个URI都正确执行,但我希望能够从同一个集合中排除某些端点.我的API放在这个上下文/ api / *中,我想排除,例如/ api / login和/ api / logout.
注意:我的Spring Boot application.yml文件没有启用/修改任何安全相关功能的设置.
解决方法:
将对通过HttpSecurity配置的所有端点执行过滤器.如果您不希望对某些端点应用过滤器,请将它们包含在配置WebSecurity的方法中.例如,
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/api/login", "/api/logout");
}
有关详细信息,请阅读this post.
标签:java,spring-boot,spring-security
来源: https://codeday.me/bug/20190722/1503186.html