我有一个问题...我有这样的SecurityConfig.class(这是一个扩展WebSecurityConfigurerAdapter的类):
/**
* This method define which resources are public and which are secured
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().authorizeRequests()
.antMatchers(HttpMethod.POST, SecurityConstants.SIGN_UP_URL).permitAll().anyRequest()
.authenticated()
.and().addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager())) .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
但我的问题是,当我尝试访问SIGN_UP_URL时,应用程序正在尝试使用此过滤器对用户进行身份验证:
@Override
protected void doFilterInternal(HttpServletRequest req,
HttpServletResponse res,
FilterChain chain) throws IOException, ServletException {
String header = req.getHeader(SecurityConstants.HEADER_STRING);
if (header == null || !header.startsWith(SecurityConstants.TOKEN_PREFIX)) {
chain.doFilter(req, res);
res.sendError(HttpServletResponse.SC_UNAUTHORIZED,"Access Denied");
return;
}
UsernamePasswordAuthenticationToken authentication = getAuthentication(req);
SecurityContextHolder.getContext().setAuthentication(authentication);
chain.doFilter(req, res);
}
检查那个点的标题是否为null(因为该URL理论上不需要验证或任何令牌)这应该不会发生,有人可以帮助我吗?当我为所有用户打开安全性而不进行身份验证时,该方法成功执行
你必须在SecurityConfig.class中添加一个方法
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(HttpMethod.POST, SecurityConstants.SIGN_UP_URL);
}
在这种方法中,您可以使用您不喜欢的网址进入安全过滤器。