How to apply spring security filter only on secured endpoints?
I have the following Spring Security configuration:
httpSecurity
.csrf()
.disable()
.exceptionHandling()
-
I think I've found a way to solve it. I have
JwtTokenAuthenticationProcessingFilterwhich is anAbstractAuthenticationProcessingFilter. I want it to authenticate request if there is token in the head but do not block the request if failed. All you need is to rewrite the doFilter and invoke thechain.doFilterno matter what the authentication result is(invoking unsuccessfulAuthentication is optional). Here is part of my code.public class JwtTokenAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter { private final TokenExtractor tokenExtractor; @Autowired public JwtTokenAuthenticationProcessingFilter(TokenExtractor tokenExtractor, RequestMatcher matcher) { super(matcher); this.tokenExtractor = tokenExtractor; } @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; if (!this.requiresAuthentication(request, response)) { chain.doFilter(request, response); } else { if (this.logger.isDebugEnabled()) { this.logger.debug("Request is to process authentication"); } boolean success = true; Authentication authResult = null; try { authResult = this.attemptAuthentication(request, response); } catch (InternalAuthenticationServiceException var8) { this.logger.error("An internal error occurred while trying to authenticate the user.", var8); success = false; } catch (AuthenticationException var9) { success = false; } if (success && null != authResult) { this.successfulAuthentication(request, response, chain, authResult); } // Please ensure that chain.doFilter(request, response) is invoked upon successful authentication. You want // processing of the request to advance to the next filter, because very last one filter // FilterSecurityInterceptor#doFilter is responsible to actually invoke method in your controller that is // handling requested API resource. chain.doFilter(request, response); } } @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { String tokenPayload = request.getHeader(WebSecurityConfig.AUTHENTICATION_HEADER_NAME); RawAccessJwtToken token = new RawAccessJwtToken(tokenExtractor.extract(tokenPayload)); return getAuthenticationManager().authenticate(new JwtAuthenticationToken(token)); } @Override protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException { SecurityContext context = SecurityContextHolder.createEmptyContext(); context.setAuthentication(authResult); SecurityContextHolder.setContext(context); } }Update at Apr 22
To register the filter, just add the following code to the WebSecurityConfig
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private final JwtAuthenticationProvider mJwtAuthenticationProvider; @Autowired public WebSecurityConfig(JwtAuthenticationProvider jwtAuthenticationProvider) { this.mJwtAuthenticationProvider = jwtAuthenticationProvider; } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { // When multiple authentication providers are defined, the providers will be queried in the order they’re // declared. auth.authenticationProvider(mJwtAuthenticationProvider); } }In the code, I only revealed the critical part about adding the filter. All this implementation was inspired by this site. Give credit to the author Vladimir Stankovic for his detail explanation.
讨论(0) -
I have an application with the same requirement and to solve it I basically restricted Spring Security to a given ant match patter (using
antMatcher) as follows:http.antMatcher("/api/**").authorizeRequests() // .anyRequest().authenticated() // .and() .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);You can read it as follows: for
httponly invoke these configurations on requests matching the ant pattern/api/**authorizingany requesttoauthenticatedusersandadd filterauthenticationTokenFilterBean()beforeUsernamePasswordAuthenticationFilter. For all others requests this configuration has no effect.讨论(0) -
To bypass spring security for some specific endpoints do the following:
httpSecurity .authorizeRequests() .antMatchers("/some_endpoints").permitAll() .anyRequest().authenticated() .and() ...讨论(0) -
GenericFilterBeanhas a following method :/** * Can be overridden in subclasses for custom filtering control, * returning {@code true} to avoid filtering of the given request. * <p>The default implementation always returns {@code false}. * @param request current HTTP request * @return whether the given request should <i>not</i> be filtered * @throws ServletException in case of errors */ protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException { return false; }So in your filter that extends
GenericFilterBeanyou can override that method and implement logic to run the filter only on the routes that you would like.讨论(0) -
If you use the
.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);You can define in the constructor the specific path it will apply to:
public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFilter { public JwtAuthenticationFilter(AuthenticationManager authenticationManager) { super("/api/**"); this.setAuthenticationManager(authenticationManager); } @Override protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) { return super.requiresAuthentication(request, response); }The
requiresAuthenticationmethod will be used to know if that endpoint needs authentication.讨论(0) -
My Requirement was to exclude the endpoint matching /api/auth/**, to achieve the same I have configured my WebSecurityConfig spring configuration component as follows:
/** * The purpose of this method is to exclude the URL's specific to Login, Swagger UI and static files. * Any URL that should be excluded from the Spring security chain should be added to the ignore list in this * method only */ @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/api/auth/**","/v2/api-docs", "/configuration/ui", "/swagger-resources", "/configuration/security", "/swagger-ui.html", "/webjars/**", "/favicon.ico", "/**/*.png", "/**/*.gif", "/**/*.svg", "/**/*.jpg", "/**/*.html", "/**/*.css", "/**/*.js"); } /** * The purpose of this method is to define the HTTP configuration that defines how an HTTP request is * going to be treated by the Spring Security chain. All the request URL's (excluding the URL's added * in WebSecurity configuration ignore list) matching this configuration have to pass through the * custom Spring security filter defined in this method */ @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .cors().disable() .authorizeRequests() .anyRequest() .authenticated() .and() .exceptionHandling() .authenticationEntryPoint(unauthorizedHandler) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); } /** * The purpose of this method is to create a new instance of JWTAuthenticationFilter * and return the same from the method body. It must be ensured that this filter should * not be configured as a Spring bean or registered into the Spring Application context * failing which the below filter shall be registered as a default web filter, and thus * all the URL's even the excluded ones shall be intercepted by the below filter */ public JWTAuthenticationFilter authenticationTokenFilterBean() { return new JWTAuthenticationFilter(); }讨论(0)
加载中...
- 热议问题