Spring webSecurity.ignoring()不会忽略自定义过滤器
我在Spring 4 MVC + Security + Boot项目中设置了一个自定义身份验证过滤器。过滤器可以很好地完成工作,现在我想禁用某些URI(例如/api/**)的安全性。这是我的配置
@Configuration@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers("/api/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilterBefore(filter, BasicAuthenticationFilter.class);
}
}
不幸的是,当我在/ api / …下调用resource时,过滤器仍然被链接。我在过滤器中添加了println,并在每次调用时将其写入控制台。你知道我的配置有什么问题吗?
更新
过滤器代码:
@Componentpublic class EAccessAuthenticationFilter extends RequestHeaderAuthenticationFilter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
System.out.println("FILTER");
if(SecurityContextHolder.getContext().getAuthentication() == null){
//Do my authentication stuff
PreAuthenticatedAuthenticationToken authentication = new PreAuthenticatedAuthenticationToken(user, credential, authorities);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
super.doFilter(request, response, chain);
}
@Override
@Autowired
public void setAuthenticationManager(AuthenticationManager authenticationManager) {
super.setAuthenticationManager(authenticationManager);
}
}
回答:
删除类EAccessAuthenticationFilter上的@Component,如下所示:
@Overrideprotected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilterBefore(new EAccessAuthenticationFilter(), BasicAuthenticationFilter.class);
}
以上是 Spring webSecurity.ignoring()不会忽略自定义过滤器 的全部内容, 来源链接: utcz.com/qa/435999.html
