我为令牌身份验证创建了一个自定义过滤器AuthenticationTokenFilter,它由OncePerRequestFilter. 我将一些 API 配置为SecurityConfig我的AuthenticationTokenFilter.
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.BASIC_AUTH_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationTokenFilter authenticationTokenFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().
regexMatchers("^(?!/webjars/).*",
"^(?!/swagger-resources/).*",
"^(?!/swagger-ui.html).*").permitAll().
antMatchers("/healthcheck/ping",
"/user" + ApiMapper.SIGN_IN_API,
"/user" + ApiMapper.FORGET_PASSWORD,
"/user" + ApiMapper.SIGN_OUT_API,
ApiMapper.SWAGGER_RESOURCE,
ApiMapper.FAVICON_ICO,
ApiMapper.APP_ENDPOINTS).permitAll().
anyRequest().authenticated().
and().
// If user isn't authorised to access a path...
exceptionHandling().
// ...redirect them to /403
accessDeniedPage("/403").
and().
anonymous().disable();
http.addFilterBefore(authenticationTokenFilter, BasicAuthenticationFilter.class);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().
regexMatchers("^(?!/webjars/).*").
regexMatchers("^(?!/swagger-resources/).*").
regexMatchers("^(?!/swagger-ui.html/).*").
antMatchers("/healthcheck/ping",
"/user" + ApiMapper.SIGN_IN_API,
"/user" + ApiMapper.FORGET_PASSWORD,
"/user" + ApiMapper.SIGN_OUT_API,
ApiMapper.SWAGGER_RESOURCE + "/.*",
ApiMapper.FAVICON_ICO,
ApiMapper.APP_ENDPOINTS);
}
}
我在这里找到了类似的答案,但我已经忽略了WebSecurity配置。那么,为什么我需要在过滤器级别上写相同的内容。
我在哪里做错了,或者我在错误的环境中。