Add http security filter in java config
I\'m trying to add web security in spring but I don\'t want the filter to apply to certain things. How is that done in java?
And maybe there\'s a better way to do th
-
Are you interested in all of Spring Security ignoring the URLs or do you only want that specific filter to ignore the request? If you want all of Spring Security to ignore the request it can be done using the following:
@Configuration @EnableWebSecurity @Import(MyAppConfig.class) public class MySecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private MyTokenUserInfoCache userInfoCache; @Autowired private ServerStatusService serverStatusService; @Override public void configure(WebSecurity webSecurity) throws Exception { webSecurity .ignoring() // All of Spring Security will ignore the requests .antMatchers("/resources/**") .antMatchers(HttpMethod.POST, "/login"); } @Override public void configure(HttpSecurity http) throws Exception { http .addFilter(tokenInfoTokenFilterSecurityInterceptor()) .authorizeRequests() // this will grant access to GET /login too do you really want that? .antMatchers("/login").permitAll() .and() .httpBasic().and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); } @Bean public TokenFilterSecurityInterceptortokenInfoTokenFilterSecurityInterceptor() throws Exception { TokenService tokenService = new TokenServiceImpl(userInfoCache); return new TokenFilterSecurityInterceptor (tokenService, serverStatusService, "RUN_ROLE"); } } If you want to have only that specific Filter ignore particular requests you can do something like this:
@Configuration @EnableWebSecurity @Import(MyAppConfig.class) public class MySecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private MyTokenUserInfoCache userInfoCache; @Autowired private ServerStatusService serverStatusService; @Override public void configure(WebSecurity webSecurity) throws Exception { webSecurity .ignoring() // ... whatever is here is ignored by All of Spring Security } @Override public void configure(HttpSecurity http) throws Exception { http .addFilter(tokenInfoTokenFilterSecurityInterceptor()) .authorizeRequests() // this will grant access to GET /login too do you really want that? .antMatchers("/login").permitAll() .and() .httpBasic().and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); } @Bean public TokenFilterSecurityInterceptortokenInfoTokenFilterSecurityInterceptor() throws Exception { TokenService tokenService = new TokenServiceImpl(userInfoCache); TokenFilterSecurityInterceptor tokenFilter new TokenFilterSecurityInterceptor (tokenService, serverStatusService, "RUN_ROLE"); RequestMatcher resourcesMatcher = new AntPathRequestMatcher("/resources/**"); RequestMatcher posLoginMatcher = new AntPathRequestMatcher("/login", "POST"); RequestMatcher ignored = new OrRequestMatcher(resourcesMatcher, postLoginMatcher); return new DelegateRequestMatchingFilter(ignored, tokenService); } } public class DelegateRequestMatchingFilter implements Filter { private Filter delegate; private RequestMatcher ignoredRequests; public DelegateRequestMatchingFilter(RequestMatcher matcher, Filter delegate) { this.ignoredRequests = matcher; this.delegate = delegate; } public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) { HttpServletRequest request = (HttpServletRequest) req; if(ignoredRequests.matches(request)) { chain.doFilter(req,resp,chain); } else { delegate.doFilter(req,resp,chain); } } }
加载中...
- 热议问题