更新时间:2023-12-01 08:38:28
您有两个过滤器链.它们都没有正确配置的入口点模式 http.antMatcher
.这意味着它们被配置为使用 /**
作为它们的入口点模式.
You have two filter chains. Neither of them have an entry point pattern properly configured http.antMatcher
. That means they are configured to use /**
as their entry point pattern.
例如
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().fullyAuthenticated()
就是说:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/**")
.authorizeRequests()
.anyRequest().fullyAuthenticated()
我们在这里说的是
http
- 安全过滤器链http.antMatcher
- 安全过滤器链的入口点http.authorizeRequests
- 我的端点访问限制的开始http.authorizeRequests.antMatchers
- 具有特定访问权限的 URL 列表http
- the security filter chainhttp.antMatcher
- the entry point to the security filter chainhttp.authorizeRequests
- start of my endpoint access restrictionshttp.authorizeRequests.antMatchers
- list of URLs with specific access所以您需要做的是更改您的 @Order(1)
过滤器链以缩小模式.例如:http.antMatcher("/api/transaction/**")
So what you need to do is change your @Order(1)
filter chain to narrow down the pattern. For example: http.antMatcher("/api/transaction/**")
您的配置现在看起来像
@Configuration
@Order(1)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/transaction/**") //customized entry point
.authorizeRequests()
.antMatchers("/api/transaction/testf").authenticated().and()
.x509()
.subjectPrincipalRegex("CN=(.*?)(?:,|$)")
.userDetailsService(new X509UserDetailsService())
;
}
}
@Configuration
@Order(2)
public static class ApiTokenSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/**") //this is default
.authorizeRequests()
.antMatchers("/oauth/token", "/api/dealer/login").permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
;
}
使用您现有的配置,名为 ApiWebSecurityConfig
的过滤器链将捕获所有调用.另一个过滤器链 ApiTokenSecurityConfig
从未使用过.
With your existing configuration the filter chain named ApiWebSecurityConfig
will trap all calls. The other filter chain, ApiTokenSecurityConfig
, is never used.
你可以在这个答案