Spring Security 6未调用我的CustomAuthenticationProvider

w8biq8rn  于 2023-06-23  发布在  Spring
关注(0)|答案(1)|浏览(181)

我有一个像这样定义的Spring SecurityConfiguration:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    private final CustomAuthenticationProvider customAuthenticationProvider;

    @Autowired
    public SecurityConfiguration(CustomAuthenticationProvider customAuthenticationProvider) {
        this.customAuthenticationProvider = customAuthenticationProvider;
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .cors(CorsConfigurer::disable) // Disable CORS
            .csrf().disable()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
            .authenticationProvider(customAuthenticationProvider)
            .authorizeHttpRequests(authorizeRequests -> authorizeRequests
                .requestMatchers(HttpMethod.GET, "/health", "/public/**").permitAll()
                .requestMatchers("/api/**", "/events/**", "/competition/**").authenticated()
            )
            .httpBasic());

        return http.build();
    }
   
}

/static和/public下的请求被正确地允许,但是/events、/API、/competition下的任何请求都会命中AnnoymousAuthenticationFilter。
以下是对/events/1的请求的日志

20:05:06.483 [http-nio-8080-exec-8] DEBUG o.s.security.web.FilterChainProxy - Securing GET /events/1
20:05:06.483 [http-nio-8080-exec-8] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Set SecurityContextHolder to anonymous SecurityContext
20:05:06.484 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to com.pr.golf.golfapp.controller.EventsController#getEvent(Long)
20:05:06.486 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to com.pr.golf.golfapp.controller.EventsController#getEvent(Long)
20:05:06.487 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to com.pr.golf.golfapp.controller.EventsController#getEvent(Long)
20:05:06.488 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to com.pr.golf.golfapp.controller.EventsController#getEvent(Long)
20:05:06.490 [http-nio-8080-exec-8] DEBUG o.s.security.web.FilterChainProxy - Securing GET /error
20:05:06.491 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
20:05:06.492 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
20:05:06.493 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
20:05:06.495 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
20:05:06.498 [http-nio-8080-exec-8] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
20:05:06.498 [http-nio-8080-exec-8] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Set SecurityContextHolder to anonymous SecurityContext
kxe2p93d

kxe2p93d1#

通过使用下面的代码,我可以在不为自定义提供程序显式配置身份验证机制/协议的情况下实现它。

public class CustomAuthenticationFilter extends OncePerRequestFilter {

}

这样,一旦我决定了要执行的身份验证类型,就可以在SecurityContextHolder上设置身份验证。它还保证无论我使用什么webClient和任何Authorization头类型集,我都可以检查并调用正确的底层函数。

相关问题