2

我想只允许未经身份验证的访问几个路径:/everyone1/something1、/everyone2/something2 和 /everyone3/**。对于其余路径,我只希望允许经过身份验证的请求。

现在,我有“类 WebSecurityConfig 扩展 WebSecurityConfigurerAdapter”:

@Override
  protected void configure(HttpSecurity httpSecurity) throws Exception {
    JwtAuthenticationFilter jwtAuthenticationFilter = new JwtAuthenticationFilter(
      jwtUtils, this.accessCookie, this.selectedRoleScopeCookie);

    httpSecurity.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);

    httpSecurity.cors().and().csrf().disable();

    httpSecurity.authorizeRequests()
      .antMatchers("/everyone1/something1", "/everyone2/something2", "/everyone3/**")
      .permitAll()
      .anyRequest().authenticated()
      .and().httpBasic().disable();
  }

在“jwtAuthenticationFilter”中,我将身份验证设置为:

  private void setAuthentication2(String username, String someData, boolean authenticated) {
    User user = new User(username, "", new ArrayList<>());
    UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>());
    if (!authenticated) {
      authentication.setAuthenticated(false);
    }

    AuthenticationDetails authenticationDetails = new AuthenticationDetails(someData);
    authentication.setDetails(authenticationDetails);

    SecurityContextHolder.getContext().setAuthentication(authentication);
  }

不幸的是,上述配置阻止了每个请求,包括经过身份验证和未经身份验证的请求。

任何帮助,将不胜感激。

谢谢!

4

1 回答 1

0

此方法为经过身份验证的请求授权某些路径。你需要的是:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/everyone1/something1", "/everyone2/something2", "/everyone3/**");
}

然后匿名请求可以访问该路径。

于 2019-03-30T16:17:58.633 回答