Spring Security的permitAll对某些端点不起作用
16lz
2021-01-22
I have
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/api/v1/account/import").permitAll()
.anyRequest().authenticated()
.and()
.addFilterBefore(new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
I want that all users can come to /api/v1/account/import without any JWT token check. For all other endpoints I want a JWT token check in class JWTAuthenticationFilter. I tried many different scenarios but all failed. I always get to JWTAuthenticationFilter. I don't want to get to JWTAuthenticationFilter if I go to /api/v1/account/import.
我希望所有用户都可以在没有任何JWT令牌检查的情况下进入/ api / v1 / account / import。对于所有其他端点,我想要在类JWTAuthenticationFilter中进行JWT令牌检查。我尝试了很多不同的场景,但都失败了。我总是到JWTAuthenticationFilter。如果我转到/ api / v1 / account / import,我不想访问JWTAuthenticationFilter。
My controller:
@RestController
@RequestMapping(value = "/api/v1/account")
public class AccountController {
private final AccountService accountService;
public AccountController(final AccountService accountService) {
this.accountService = accountService;
}
@PostMapping(path = "/import")
@ResponseStatus(HttpStatus.ACCEPTED)
public String importAccount(@Valid @RequestBody final ImportAccountDto importAccountDto) {
return this.accountService.importAccount(importAccountDto);
}
My JWT filter:
我的JWT过滤器:
public class JWTAuthenticationFilter extends GenericFilterBean {
@Override
public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain filterChain) throws IOException, ServletException {
final HttpServletRequest request = (HttpServletRequest) req;
final HttpServletResponse response = (HttpServletResponse) res;
final String token = request.getHeader("Authorization");
final JJWTService jjwtService = new JJWTService();
if (token == null || !jjwtService.parseJWTToken(token)) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
} else {
filterChain.doFilter(req, res);
}
}
My test:
@RunWith(SpringRunner.class)
@SpringBootTest
@AutoConfigureMockMvc
public class AccountIT {
@Autowired
MockMvc mockMvc;
@Autowired
private AccountRepository accountRepository;
@Test
public void importAccount() throws Exception {
this.mockMvc.perform(post("/api/v1/account/import")
.contentType(MediaType.APPLICATION_JSON)
.content(toJson(importAccountDto)))
.andExpect(status().isAccepted())
.andReturn();
}
1 个解决方案
#1
2
Try this
if (!request.getRequestURI().contains("/api/v1/account/import")) {
final JJWTService jjwtService = new JJWTService();
if (token == null || !jjwtService.parseJWTToken(token)) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
} else {
filterChain.doFilter(req, res);
}
}
更多相关文章
- 字体图标的引入和通过媒体查询改变导航样式
- HTML样式和常用选择器
- 字体图标的引用和自定义样式/媒体查询的使用
- 数据库的CURD操作、PDO本质与原理的学习
- CSS之伪类选择器和简单盒子简单案例
- 伪类选择器与盒模型常用属性
- 伪类选择器-结构伪类、根据位置选择匹配
- 7.4——常用标签与应用场景之表格与单元格
- css伪类选择器和盒模型