Spring security antMatchers permitAll 不起作用

Question

我知道有这个问题的主题，但我所做的配置是正确的，我将它与它正常工作的项目进行了比较。我想“解除”JWT 安全性的/login 端点，但 AuthenticationFilter 仍然在到达/login 端点之前运行。我很困惑为什么它不起作用。

我的代码如下:

@Override
    protected void configure(HttpSecurity http) throws Exception {

        http
                .csrf().disable()

                .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()

                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()

                .authorizeRequests()

                .antMatchers("/login").permitAll()
                .anyRequest().authenticated();

        http
                .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);

        http.headers().cacheControl();

    }

Answer 1

重复:How to add a filter only for one special path WebSecurityConfigurerAdapter

您不能使用单个配置类来做到这一点。看看这个问题:How to apply spring security filter only on secured endpoints? .

对于这种情况，我认为更好的解决方案是配置多个HttpSecurity。来自 Spring IO documentation :

We can configure multiple HttpSecurity instances just as we can have multiple blocks. The key is to extend the WebSecurityConfigurationAdapter multiple times. For example, the following is an example of having a different configuration for URL’s that start with /api/.

该文档有一个完整的示例，其中包含完成此操作的必要步骤:

1. Configure Authentication as normal
2. Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.
3. The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/
4. Create another instance of WebSecurityConfigurerAdapter. If the URL does not start with /api/ this configuration will be used. This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).

祝你好运!