带有JWT的Spring Boot(v2.6.7)安全性,Web.ignoring()正在工作,但AntMatchers wiverall()
我从2.1.5迁移至2.6.7。现在,安全配置正在Web中发出有关抗匹匹仪的警告。在Webscurity配置线路中符合符号,尽管其工作正常。移动Web。签名到AntMatchers允许HTTPConfiguration允许()警告消失,但不再允许使用URL。
我也在使用JWT,看来JWT过滤器正在启动,也没有尊重HTTPConfiguration。我真的很困惑如何配置它。我包括之前和之后。
使用警告:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private static final Logger LOGGER = LoggerFactory.getLogger(SecurityConfiguration.class);
@Override
public void init(WebSecurity web) throws Exception {
super.init(web);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
LOGGER.debug("**********************SECURITY INITALIZE NORMAL#######################################");
http.cors().and().csrf().disable().authorizeRequests()
.anyRequest().authenticated().and()
.addFilter(new JWTAuthorizationFilter(authenticationManager(), getApplicationContext()))
.addFilter(new JWTAuthenticationFilter(authenticationManager(), getApplicationContext()))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/v2/api-docs/**");
}
}
不起作用:
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private static final Logger LOGGER = LoggerFactory.getLogger(SecurityConfiguration.class);
@Override
public void init(WebSecurity web) throws Exception {
super.init(web);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
LOGGER.debug("**********************SECURITY INITALIZE NORMAL#######################################");
http.cors().and().csrf().disable().authorizeRequests()
.antMatchers("/v2/api-docs/**").permitAll() // ADDED LINE
.anyRequest().authenticated().and()
.addFilter(new JWTAuthorizationFilter(authenticationManager(), getApplicationContext()))
.addFilter(new JWTAuthenticationFilter(authenticationManager(), getApplicationContext()))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure(WebSecurity web) throws Exception {
//web.ignoring().antMatchers("/v2/api-docs/**");
}
}
使用HTTP安全性与Web Security时的配置中断看起来像是某种程度上的破裂。我尝试了许多建议,但似乎没有任何作用。
熟悉JWT过滤器的2.6.7中春季启动安全性的人可以建议我做错什么吗?
I migrated Spring boot from 2.1.5 to 2.6.7. Now the security configuration is throwing a warning about antMatchers in web.ignoring in the WebSecurity configuration lines, although it works correctly. Upon moving the web.ignoring to antMatchers permitAll() in httpConfiguration, the warning goes away but the urls are no longer permitted.
I am also using JWT and it looks like the JWT filters are kicking in and not honoring the httpConfiguration. I am really confused as to how to configure this. I am including the before and after here.
WORKS WITH WARNING:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private static final Logger LOGGER = LoggerFactory.getLogger(SecurityConfiguration.class);
@Override
public void init(WebSecurity web) throws Exception {
super.init(web);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
LOGGER.debug("**********************SECURITY INITALIZE NORMAL#######################################");
http.cors().and().csrf().disable().authorizeRequests()
.anyRequest().authenticated().and()
.addFilter(new JWTAuthorizationFilter(authenticationManager(), getApplicationContext()))
.addFilter(new JWTAuthenticationFilter(authenticationManager(), getApplicationContext()))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/v2/api-docs/**");
}
}
DOES NOT WORK:
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private static final Logger LOGGER = LoggerFactory.getLogger(SecurityConfiguration.class);
@Override
public void init(WebSecurity web) throws Exception {
super.init(web);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
LOGGER.debug("**********************SECURITY INITALIZE NORMAL#######################################");
http.cors().and().csrf().disable().authorizeRequests()
.antMatchers("/v2/api-docs/**").permitAll() // ADDED LINE
.anyRequest().authenticated().and()
.addFilter(new JWTAuthorizationFilter(authenticationManager(), getApplicationContext()))
.addFilter(new JWTAuthenticationFilter(authenticationManager(), getApplicationContext()))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure(WebSecurity web) throws Exception {
//web.ignoring().antMatchers("/v2/api-docs/**");
}
}
Looks like somehow the configuration breaks when using http security versus web security. I have tried many of the suggestions but nothing seems to work.
Can someone familiar with Spring Boot Security in 2.6.7 with JWT filters please suggest what I am doing wrong?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论