我有一个像这样定义的Spring SecurityConfiguration:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration {
private final CustomAuthenticationProvider customAuthenticationProvider;
@Autowired
public SecurityConfiguration(CustomAuthenticationProvider customAuthenticationProvider) {
this.customAuthenticationProvider = customAuthenticationProvider;
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.cors(CorsConfigurer::disable) // Disable CORS
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authenticationProvider(customAuthenticationProvider)
.authorizeHttpRequests(authorizeRequests -> authorizeRequests
.requestMatchers(HttpMethod.GET, "/health", "/public/**").permitAll()
.requestMatchers("/api/**", "/events/**", "/competition/**").authenticated()
)
.httpBasic());
return http.build();
}
}
/static和/public下的请求被正确地允许,但是/events、/API、/competition下的任何请求都会命中AnnoymousAuthenticationFilter。
以下是对/events/1的请求的日志
20:05:06.483 [http-nio-8080-exec-8] DEBUG o.s.security.web.FilterChainProxy - Securing GET /events/1
20:05:06.483 [http-nio-8080-exec-8] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Set SecurityContextHolder to anonymous SecurityContext
20:05:06.484 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to com.pr.golf.golfapp.controller.EventsController#getEvent(Long)
20:05:06.486 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to com.pr.golf.golfapp.controller.EventsController#getEvent(Long)
20:05:06.487 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to com.pr.golf.golfapp.controller.EventsController#getEvent(Long)
20:05:06.488 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to com.pr.golf.golfapp.controller.EventsController#getEvent(Long)
20:05:06.490 [http-nio-8080-exec-8] DEBUG o.s.security.web.FilterChainProxy - Securing GET /error
20:05:06.491 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
20:05:06.492 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
20:05:06.493 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
20:05:06.495 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
20:05:06.498 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
20:05:06.498 [http-nio-8080-exec-8] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Set SecurityContextHolder to anonymous SecurityContext
1条答案
按热度按时间kxe2p93d1#
通过使用下面的代码,我可以在不为自定义提供程序显式配置身份验证机制/协议的情况下实现它。
这样,一旦我决定了要执行的身份验证类型,就可以在SecurityContextHolder上设置身份验证。它还保证无论我使用什么webClient和任何Authorization头类型集,我都可以检查并调用正确的底层函数。