+-

我对 Spring Security的配置http.anyRequest().authenticated()的理解是,任何请求都必须经过身份验证,否则我的Spring应用程序将返回401响应.
不幸的是,我的spring应用程序没有这种行为,但是允许未经身份验证的请求通过.
这是我的春季安全配置:
@Configuration
@Order(1)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationTokenFilter authenticationTokenFilter;
@Autowired
private TokenAuthenticationProvider tokenAuthenticationProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(authenticationTokenFilter, BasicAuthenticationFilter.class)
.antMatcher("/*")
.authenticationProvider(tokenAuthenticationProvider)
.authorizeRequests()
.anyRequest().authenticated();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/index.html")
.antMatchers("/error")
.antMatchers("/swagger-ui.html")
.antMatchers("/swagger-resources");
}
}
AuthenticationTokenFilter从请求中获取JWT令牌,检查其有效性,从中创建Authentication,然后在SecurityContextHolder中设置身份验证.如果未提供令牌,则SecurityContextHolder.getContext().getAuthentication()保持为空.
我的控制器如下所示:
@RestController
@RequestMapping("/reports")
@Slf4j
public class ReportController {
@RequestMapping()
@ResponseBody
public List<String> getIds() {
log.info(SecurityContextHolder.getContext().getAuthentication());
return Collections.emptyList();
}
}
当对没有令牌的端点运行curl请求时,我只是得到一个有效的响应:
-> curl 'localhost:8080/reports/'
[]
调试时,我可以看到SecurityContextHolder.getContext().getAuthentication()为null.
有任何想法吗?
最佳答案
它实际上按预期方式工作,这是由于您如何编写配置.
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(authenticationTokenFilter, BasicAuthenticationFilter.class)
.antMatcher("/*")
.authenticationProvider(tokenAuthenticationProvider)
.authorizeRequests()
.anyRequest().authenticated();
}
这是您自己的配置,另外还有一些缩进.当您在此处编写antMatcher时,这意味着antMatcher之后的所有内容均适用于其中写入的路径/表达式(请参见Javadoc AntPathMatcher.
现在,您已经编写了/ *,这适用于/ reports,但不适用于/ reports /(是的,持续很重要!).
您可能打算写的是
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(authenticationTokenFilter, BasicAuthenticationFilter.class)
.antMatcher("/**")
.authenticationProvider(tokenAuthenticationProvider)
.authorizeRequests()
.anyRequest().authenticated();
}
注意/ **而不是/ *.但是,这基本上与省略antMatcher并简单地编写相同
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(authenticationTokenFilter, BasicAuthenticationFilter.class)
.authenticationProvider(tokenAuthenticationProvider)
.authorizeRequests()
.anyRequest().authenticated();
}
点击查看更多相关文章
转载注明原文:春季安全配置anyRequest().authenticated()无法按预期工作 - 乐贴网