Solution of spring boot security Setting Ignore Address Not Effective
- 2021-11-01 03:18:47
- OfStack
spring boot security Setting Ignore Address Not Effective
Recently, after trying the micro-service transformation, there is such a problem that all requests are authenticated and authorized by spring cloud gateway before accessing the back-end data side service, but some of them need to be called back by the cooperative organization. Because of security authentication, the final solution is to ignore auth authentication for the callback address.
The main code of the final security is as follows:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/v1/prNotifyBack");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
/** It means that all accesses must be authenticated before they can proceed normally */
http.httpBasic().and().authorizeRequests().anyRequest().fullyAuthenticated();
/** All Rest Services 1 Be sure to set to stateless to improve operational performance */
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.csrf().disable();
}
}
This process has encountered several problems:
1. Inherit WebSecurityConfigurerAdapterThen we override the configure method, which needs to be noted that it has two different parameters.
The functions of HttpSecurity and WebSecurity are different, WebSecurity is mainly aimed at global ignorance rules, and HttpSecurity is mainly privilege control rules.
Therefore, starting with HttpSecurity in 1 can't achieve the purpose of ignoring addresses.
protected void configure(HttpSecurity http){.......}
public void configure(WebSecurity web) {.........}
WebSecurity
Global request ignores rule configuration (such as static file, such as registration page), global HttpFirewall configuration, whether debug configuration, global SecurityFilterChain configuration, privilegeEvaluator, expressionHandler, securityInterceptor,
HttpSecurity
Specific permission control rule configuration.
2. Ignore the non-effective problem
web.ignoring().antMatchers("/pr/v1/prNotifyBack");
The above code will not take effect if/pr is taken, and 401 errors will still occur when accessing. /pr is the configured project path. However, taking the project path will not take effect, which is very confusing.
server:
port: 8089
servlet:
context-path: /pr
SpringBoot SpringSecurity, web. ignore failure
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class CustomSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.csrf().disable()
.authorizeRequests()
.antMatchers("/api/**").authenticated()
.and()
.addFilterBefore(new TokenFilter(), UsernamePasswordAuthenticationFilter.class);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/")
.antMatchers("/swagger-ui.html")
.antMatchers("/swagger-resources/**")
.antMatchers("/webjars/springfox-swagger-ui/**")
.antMatchers("/v2/api-docs/**");
}
}
This is the modified configuration file that works properly
Annotated with @ component before, then injected with @ Resource.
Causes the filter to take effect globally.
Normal configuration, should manually new, and filter classes cannot be annotated with @ Component
Specific reasons, after free to study 1.