security版本:3.0.1
Security配置:
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// 禁用默认的JSP表单登录
// http.formLogin(form -> form.loginPage("/login"));
// http.logout(logout -> logout.logoutSuccessUrl("/success"));
// 插入自定义登录过滤器
http.addFilter(wxAuthenticationFilter());
// 插入JWT认证过滤器,在登录认证过滤器之前
http.addFilterBefore(wxJwtAuthenticationFilter(), WxAuthenticationFilter.class);
http.anonymous();
http.httpBasic().disable();
// 验证路径
http.authorizeHttpRequests().requestMatchers("/").permitAll().and()
.authorizeHttpRequests().anyRequest().authenticated();
// 设置session无状态
http.sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
// 设置未授权请求异常处理
http.exceptionHandling(
e -> e.accessDeniedHandler(accessDeniedHandler()).authenticationEntryPoint(authenticationEntryPoint()));
http.csrf().disable();
return http.build();
}
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return web -> web.ignoring().requestMatchers("/ignore1", "/ignore2");
}
-
重写了认证相关的过滤器,WxAuthenticationFilter替换了UsernamePasswordAuthenticationFilter。
而JWT认证是在WxAuthenticationFilter之前。 -
配置了两个
ignore1
与ignore2
,不通过security过滤器。
在实际访问/ignore1
路径时,还是走了security过滤器,并且在AnonymousAuthenticationFilter中给了anonymousUser
角色,在通过AuthorizationFilter时拒绝了请求并抛出了Access Denice。
-具体debug是AuthenticatedAuthorizationManager的135行返回false:
而AuthorizationFilter根据这个条件在97行拒绝了访问