我在Spring 4 MVC + Security + Boot项目中设置了一个自定义身份验证过滤器。过滤器可以很好地完成工作,现在我想禁用某些URI(例如/api/**)的安全性。这是我的配置
/api/**
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter{ @Override public void configure(WebSecurity webSecurity) throws Exception { webSecurity.ignoring().antMatchers("/api/**"); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .anyRequest().authenticated() .and() .addFilterBefore(filter, BasicAuthenticationFilter.class); } }
不幸的是,当我在/ api / …下调用resource时,过滤器仍然被链接。我在过滤器中添加了println,并在每次调用时将其写入控制台。你知道我的配置有什么问题吗?
更新
过滤器代码:
@Component public class EAccessAuthenticationFilter extends RequestHeaderAuthenticationFilter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { System.out.println("FILTER"); if(SecurityContextHolder.getContext().getAuthentication() == null){ //Do my authentication stuff PreAuthenticatedAuthenticationToken authentication = new PreAuthenticatedAuthenticationToken(user, credential, authorities); SecurityContextHolder.getContext().setAuthentication(authentication); } super.doFilter(request, response, chain); } @Override @Autowired public void setAuthenticationManager(AuthenticationManager authenticationManager) { super.setAuthenticationManager(authenticationManager); } }
删除类EAccessAuthenticationFilter上的@Component,如下所示:
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .anyRequest().authenticated() .and() .addFilterBefore(new EAccessAuthenticationFilter(), BasicAuthenticationFilter.class); }