WebSecurityConfigurer '方法:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.exceptionHandling().authenticationEntryPoint(this.authEntryPoint).and()
.formLogin().disable()
.logout().permitAll()
.logoutSuccessHandler((new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK))).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests().antMatchers("/user/create", "/login", "/logout", "/user/token/refresh").permitAll().and()
.authorizeRequests().antMatchers("/tag/**").permitAll().and()
.authorizeRequests().antMatchers("/post/**").permitAll().and()
.authorizeRequests().antMatchers("/post/file/create", "/post/file/create").hasAnyRole("ROLE_USER", "ROLE_ADMIN")
.anyRequest().authenticated();
http.addFilter(new AuthenticationTokenFilter(
authenticationManagerBean(),
this.userService,
this.userMapper,
this.accessor,
this.secret,
this.claim,
this.accessTokenExpirationTimeMillis,
this.refreshTokenExpirationTimeMillis));
http.addFilterBefore(this.authorizationTokenFilter, UsernamePasswordAuthenticationFilter.class);
}正如您所看到的,我配置了某些路由以排除身份验证(例如“/tag/**”)。
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
if (request.getServletPath().equals("/login")
|| request.getServletPath().equals("/logout")
|| request.getServletPath().equals("/user/token/refresh")
|| request.getServletPath().equals("/user/create")
|| request.getServletPath().equals("/tag/")
|| request.getServletPath().matches("/post/[a-zA-Z0-9]{12}")
|| request.getServletPath().matches("/post/[a-zA-Z0-9]{12}/comments")) {
filterChain.doFilter(request, response);
} else {
// do authorization process
}
}当前的实现是通过检查servletPath来忽略给定OncePerRequestFilter中的某些路由。有没有其他方法可以从OncePerRequestFilter中排除某些API路由?因为每次添加新的自由身份验证路由时,我都必须在if语句中添加它们,这感觉不像是正确的做法。
1条答案
按热度按时间qgzx9mmu1#
使用不像这样的安全保护URI
或者将它们添加到数据库或其他存储库中并进行缓存