当前位置 博文首页 > m0_51945027的博客:Spring Security permitAll开放页面权限 解

最大化 缩小

    m0_51945027的博客:Spring Security permitAll开放页面权限 解

    作者:[db:作者] 时间:2021-09-13 16:23

    使用Spring Security做权限认证,通常有些页面需要开放某些页面不需要权限验证,比喻登录页面,注册页面等,也就是无论你什么权限(包括访客)都能访问到页面,要让某个页面设置所有权限都能访问也很简单

    1.Spring Security设置开放某个页面访问权限

    @Configuration
    public class ResourceServerConfigurer extends ResourceServerConfigurerAdapter {

    @Override
public void configure(HttpSecurity http) throws Exception {
    //开放接口
    http.authorizeRequests()
            .antMatchers("/fileCallback").permitAll()
            .anyRequest()
            .authenticated();
}

    }

    2.已经开放权限的页面token验证问题

    按照上面设置了某个页面可以开放访问,但是问题是:如果访问这个页面还是带了token,或者header 中 携带 Authorization Bearer xxxx,就会验证这个token,如果验证失败,不好意思虽然开放了访问权限,但是token验证失败,还是不能访问,所以设置了开放权限相当于没有设置,那么怎么解决?

    3.解决方法

    其实这也怪不得spring security,你都携带验证信息了,表示你需要框架验证你的权限

    那么我们只能去掉这个验证信息

    spring-security的认证为一系列过滤器链。我们只需定义一个比OAuth2AuthenticationProcessingFilter更早的过滤器拦截指定请求,去除header中的Authorization Bearer xxxx即可

    添加PermitAuthenticationFilter类
    添加PermitAuthenticationFilter类拦截指定请求,清空header中的Authorization Bearer xxxx

    @Component(“permitAuthenticationFilter”)
    @Slf4j
    public class PermitAuthenticationFilter extends OncePerRequestFilter {

    @Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {

    log.info("当前访问的地址:{}", request.getRequestURI());
    if ("/permitAll".equals(request.getRequestURI())) {

        request = new HttpServletRequestWrapper(request) {
            private Set<String> headerNameSet;

            @Override
            public Enumeration<String> getHeaderNames() {
                if (headerNameSet == null) {
                    // first time this method is called, cache the wrapped request's header names:
                    headerNameSet = new HashSet<>();
                    Enumeration<String> wrappedHeaderNames = super.getHeaderNames();
                    while (wrappedHeaderNames.hasMoreElements()) {
                        String headerName = wrappedHeaderNames.nextElement();
                        if (!"Authorization".equalsIgnoreCase(headerName)) {
                            headerNameSet.add(headerName);
                        }
                    }
                }
                return Collections.enumeration(headerNameSet);
            }

            @Override
            public Enumeration<String> getHeaders(String name) {
                if ("Authorization".equalsIgnoreCase(name)) {
                    return Collections.<String>emptyEnumeration();
                }
                return super.getHeaders(name);
            }

            @Override
            public String getHeader(String name) {
                if ("Authorization".equalsIgnoreCase(name)) {
                    return null;
                }
                return super.getHeader(name);
            }
        };

    }
    filterChain.doFilter(request, response);

}

    }

    添加PermitAllSecurityConfig配置
    添加PermitAllSecurityConfig配置用于配置PermitAuthenticationFilter

    @Component(“permitAllSecurityConfig”)
    public class PermitAllSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,HttpSecurity> {

    @Autowired
private Filter permitAuthenticationFilter;

@Override
public void configure(HttpSecurity http) throws Exception {
    http.addFilterBefore(permitAuthenticationFilter, OAuth2AuthenticationProcessingFilter.class);
}

    }
    复制代码

    修改MerryyouResourceServerConfig,增加对制定路径的授权

    @Override
    public void configure(HttpSecurity http) throws Exception {

        // @formatter:off
    http.formLogin()
            .successHandler(appLoginInSuccessHandler)//登录成功处理器
            .and()
            .apply(permitAllSecurityConfig)
            .and()
            .authorizeRequests()
            .antMatchers("/user").hasRole("USER")
            .antMatchers("/forbidden").hasRole("ADMIN")
            .antMatchers("/permitAll").permitAll()
            .anyRequest().authenticated().and()
            .csrf().disable();

    // @formatter:ON
}
    cs
    上一篇:m0_51945027的博客:《JWT 三万字详解》
    下一篇:没有了