将特定antMatchers的filter迁移到spring-security 6

qyzbxkaa  于 2023-10-20  发布在  Spring
关注(0)|答案(1)|浏览(180)

我目前正在将我们的服务迁移到带有Spring Security 6的Sping Boot 3。
在这样做的同时,我目前挂在问题上,我想只为一组端点建立一个过滤器:

@Bean
  @Order(10)
  SecurityFilterChain internalEndpointsFilterChain(HttpSecurity http) {
    http.csrf().disable()
        .sessionManagement().sessionCreationPolicy(STATELESS)
        .and()
        .antMatcher("/cache/**") <<<-- Problem
        .addFilterBefore(sharedSecretAuthenticationFilter(), ExceptionTranslationFilter)
        .exceptionHandling({ exceptionHandling ->
          exceptionHandling.authenticationEntryPoint(new UnauthorizedAuthenticationEntryPoint())
        })
        .authorizeRequests({ authorizeRequests ->
          authorizeRequests.anyRequest().fullyAuthenticated()
        })
        .build()
  }

当我迁移任何我在这里改变我只是总是得到一个401为这些端点。
我的尝试:

http.csrf { it.disable() }
        .sessionManagement { it.sessionCreationPolicy(STATELESS) }
        .securityMatcher("/cache/**")
        .addFilterBefore(sharedSecretAuthenticationFilter(), ExceptionTranslationFilter)
        .exceptionHandling({ exceptionHandling ->
          exceptionHandling.authenticationEntryPoint(new UnauthorizedAuthenticationEntryPoint())
        })
        .authorizeHttpRequests({ authorizeRequests ->
          authorizeRequests
              .anyRequest().fullyAuthenticated()
        })
        .build()

评论后编辑:重要的是,我们需要将此安全链与上面的正则表达式绑定,因为我们为其余端点提供了不同的链,该链在lib中配置并包含在我们的服务中:

@Bean
  @Order(10)
  SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
    http.csrf().disable()
        .sessionManagement().sessionCreationPolicy(STATELESS)
        .and()
        .addFilterAfter(oauthAuthenticationFilter(jwtProcessor), LogoutFilter)
        .addFilterAfter(authenticationLessModeAuthenticationFilter(), OAuthAuthenticationFilter)
        .exceptionHandling({ exceptionHandling ->
          exceptionHandling.authenticationEntryPoint(new UnauthorizedAuthenticationEntryPoint())
        })
        .authorizeHttpRequests({ authorizeRequests ->
          authorizeRequests
              .requestMatchers(antMatcher("/error")).permitAll()
              .anyRequest().fullyAuthenticated()
        })
        .build()
  }

知道我哪里做错了吗

vsdwdz23

vsdwdz231#

如果问题出在迁移中,而在迁移之前,问题出在internalEndpointsFilterChain配置中。
基于迁移指南

更新

你能尝试下一个实现,并给我一个反馈,如果它帮助你给予。

@Bean
  @Order(10)
  SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

    http.csrf(AbstractHttpConfigurer::disable);
    http.sessionManagement(sessionAuthenticationStrategy ->
        sessionAuthenticationStrategy.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
    http.securityMatcher("/cache/**")
        .authorizeHttpRequests(request ->
            request.anyRequest().fullyAuthenticated());
    http.addFilterBefore(sharedSecretAuthenticationFilter(), ExceptionTranslationFilter.class);
    http.exceptionHandling(exception -> exception.authenticationEntryPoint(new UnauthorizedAuthenticationEntryPoint()));

    return http.build();
  }

相关问题