发表新帖
发表新帖

Spring webSecurity.ignoring() doesn't ignore custom filter

前端 未结
关注
6 1464
轻奢々
轻奢々 2020-12-06 05:39

I have a set a custom authentication filter in my Spring 4 MVC + Security + Boot project. The filter does it\'s job well and now I want to disable the security for some URI

相关标签:
6条回答
  • 时光说笑
    2020-12-06 06:33

    I always found the easiest way to do this is to put this configuration in your application.properties:

    security.ignored=/api/**
    0 讨论(0)
  • 攒了一身酷
    2020-12-06 06:38

    remove @Component on class EAccessAuthenticationFilter,and like this:

    @Override
protected void configure(HttpSecurity http) throws Exception {
   http.authorizeRequests()
             .anyRequest().authenticated()
          .and()
             .addFilterBefore(new EAccessAuthenticationFilter(), BasicAuthenticationFilter.class);
}

    https://github.com/spring-projects/spring-security/issues/3958

    0 讨论(0)
  • 轻奢々
    2020-12-06 06:40

    I had the correct configuration to ignore some context path in the web security configuration as below..

    @Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/v1/api1").antMatchers("/v1/api2");
}

    But I mistakenly had added @PreAuthorize(...) on my controller method and it seems like that method level security was overriding any security configuration set up at the start.

    0 讨论(0)
  • 青春惊慌失措
    2020-12-06 06:40

    I think you also need it in the Filter class as well (extends RequestHeaderAuthenticationFilter) i.e.

    public class EAccessAuthenticationFilter extends RequestHeaderAuthenticationFilter {
    public EAccessAuthenticationFilter() {
        super(new RequestMatcher() {
                        RequestMatcher matcher = new AntPathRequestMatcher("/v1/api1");
            return matcher.matches(request);    

        });
    }
}
    0 讨论(0)
  • 感动是毒
    2020-12-06 06:43

    I don't have enough reputation to add a comment, but for anyone like me who was looking for a little more of an explanation for kimhom's answer, WebSecurityConfigurerAdapter will tell Spring Security to ignore any filters added through it. The filter was then still being invoked because the @Component (or any flavor of @Bean) annotation told Spring to add the filter (again) outside of the security chain. So while the filter was being ignored in the security chain, it was not being ignored by the other (non-security?) chain.

    This solved two weeks of headaches for me. In my case my custom filter needed the Authentication object given by the SecurityContext where it kept coming up as null because the security chain was never executed.

    0 讨论(0)
  • 無奈伤痛
    2020-12-06 06:44

    After few tests I realized that in fact my configurations are ok and it's just a comprehension problem. The spring.security.ignored=/api/** doesn't bypass or turn off the filter. In reality every request still pass through my custom filter, but the difference is that Spring Security doesn't mind of the authentication status nor the granted authority coming from the custom filter.

    I was wondering that the "ignored" property simply bypass the spring security filters. It sounds like I was totally wrong...

    0 讨论(0)
 看不清?
提交回复
热议问题