SpringSecurity过滤指定url【.antMatchers(***).permitAll()】失效问题
问题描述
在使用SpringSecurity作为后端验证框架时,遇到配置一些接口不需要token验证,直接放行,但是配置之后没有生效,一直究其原因。文章来源地址https://www.toymoban.com/news/detail-487996.html
项目配置
- 因为要进行登录认证,就放行了一部分url无需认证权限控制。
- 然后其他的所有url都需要进行认证权限控制。
- 配置代码如下:
配置的忽略验证的路径,下面是已经修改后的配置,startWith配置的忽略路径url去除配置的请求前缀/todo
server:
tomcat:
uri-encoding: UTF-8
max-threads: 1000
min-spare-threads: 30
connection-timeout: 5000ms
port: 8088
servlet:
context-path: /todo
security:
oauth2:
ignore:
authentication:
startWith: /oauth/**,/rsa/**,/open/**,/druid/**,/redis/deduct/**,/todoUser/singleLogin,/todoUser/mingleLogin
package com.cn.sharedframework.Config.oauth;
import com.cn.sharedframework.Oauth2.OauthUserDetailsService;
import com.cn.sharedframework.Oauth2.granter.MobileAuthenticationProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import java.util.ArrayList;
import java.util.List;
/**
- spring security配置类
- 3. @author qianshijiang
- @date 2021-12-01 16:06
- @description:
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebServerSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private OauthUserDetailsService userDetailsService;
@Autowired
private SecurityOauth2Properties securityOauth2Properties;
// 忽略一些静态资源
@Override
public void configure(WebSecurity web) throws Exception {
List<String> ignoreUrlList = new ArrayList<>();
ignoreUrlList.add("/**/*.js");
ignoreUrlList.add("/**/*.css");
ignoreUrlList.add("/**/*.jpg");
ignoreUrlList.add("/**/*.png");
ignoreUrlList.add("/**/*.ico");
ignoreUrlList.add("/**/*.gif");
ignoreUrlList.add("/swagger-ui.html");
ignoreUrlList.add("/webjars/**");
ignoreUrlList.add("/v2/**");
ignoreUrlList.add("/swagger-resources/**");
String[] ignoreUrls = ignoreUrlList.toArray(new String[ignoreUrlList.size()]);
web.ignoring().antMatchers(ignoreUrls);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers(securityOauth2Properties.getStartWith()).permitAll()
.anyRequest().authenticated() // 这里将其他所有的请求都放行,交给Oauth去处理
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().csrf().disable();
}
/**
* 注入自定义的userDetailsService实现,获取用户信息,设置密码加密方式
*
* @param authenticationManagerBuilder
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder());
// 设置手机验证码登陆的AuthenticationProvider
authenticationManagerBuilder.authenticationProvider(mobileAuthenticationProvider());
}
/**
* 将 AuthenticationManager 注册为 bean , 方便配置 oauth server 的时候使用
*/
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
/**
* 创建手机验证码登陆的AuthenticationProvider
*
* @return mobileAuthenticationProvider
*/
@Bean
public MobileAuthenticationProvider mobileAuthenticationProvider() {
MobileAuthenticationProvider mobileAuthenticationProvider = new MobileAuthenticationProvider(this.userDetailsService);
mobileAuthenticationProvider.setPasswordEncoder(passwordEncoder());
return mobileAuthenticationProvider;
}
public static void main(String[] args){
BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
System.out.println(bCryptPasswordEncoder.encode("todo-server-secret-key"));
}
}
- Postmain测试接口发现如下提示
发现问题一直困扰,最终找到解决方案。
- 在网上找了大量资料发现,SpringSecurity认证忽略的url是不能包含context前缀的,否则匹配不上。
- SpringSecurity认证忽略的url是不能包含context前缀的,否则匹配不上。
- SpringSecurity认证忽略的url是不能包含context前缀的,否则匹配不上。
文章来源:https://www.toymoban.com/news/detail-487996.html
到了这里,关于SpringSecurity过滤指定url【.antMatchers(***).permitAll()】失效问题的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
![[CSCCTF 2019 Qual]FlaskLight 过滤 url_for globals 绕过globals过滤](https://imgs.yssmx.com/Uploads/2024/02/730076-1.png)
