The weasel set up a tablet on the cliff of the chicken farm, writing: “If you don’t fly down bravely, how do you know you are an eagle fighting in the sky? !”
From then on
Weasels eat dead chickens every day at the bottom of the cliff!
preface
AntMatchers (“/permitAll”).permitall (), But if the Authorization in the header Bearer XXXX, OAuth2AuthenticationProcessingFilter will go to check the correctness of the Token, if the Token is legal, can normal visit, otherwise, the attempt failed. His requirement is that when configuring.permitall (), it can be accessed directly, even if it carries a Token.
solution
According to Spring Security source analysis a: Spring Security authentication process that Spring – Security authentication for a series of filter chain. We need to define a filter interceptor specified request earlier than OAuth2AuthenticationProcessingFilter, remove the Authorization in the header Bearer XXXX.
Code changes
Add PermitAuthenticationFilter class
Add PermitAuthenticationFilter class interceptor specified request, to empty the Authorization header Bearer XXXX
@Component("permitAuthenticationFilter")
@Slf4j
public class PermitAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
log.info("Currently accessed address :{}", request.getRequestURI());
if ("/permitAll".equals(request.getRequestURI())) {
request = new HttpServletRequestWrapper(request) {
private Set<String> headerNameSet;
@Override
public Enumeration<String> getHeaderNames(a) {
if (headerNameSet == null) {
// first time this method is called, cache the wrapped request's header names:
headerNameSet = new HashSet<>();
Enumeration<String> wrappedHeaderNames = super.getHeaderNames();
while (wrappedHeaderNames.hasMoreElements()) {
String headerName = wrappedHeaderNames.nextElement();
if (!"Authorization".equalsIgnoreCase(headerName)) { headerNameSet.add(headerName); }}}return Collections.enumeration(headerNameSet);
}
@Override
public Enumeration<String> getHeaders(String name) {
if ("Authorization".equalsIgnoreCase(name)) {
return Collections.<String>emptyEnumeration();
}
return super.getHeaders(name);
}
@Override
public String getHeader(String name) {
if ("Authorization".equalsIgnoreCase(name)) {
return null;
}
return super.getHeader(name); }}; } filterChain.doFilter(request, response); }}Copy the codeAdd the PermitAllSecurityConfig configuration
Add PermitAllSecurityConfig configuration is used to configure PermitAuthenticationFilter
@Component("permitAllSecurityConfig")
public class PermitAllSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain.HttpSecurity> {
@Autowired
private Filter permitAuthenticationFilter;
@Override
public void configure(HttpSecurity http) throws Exception { http.addFilterBefore(permitAuthenticationFilter, OAuth2AuthenticationProcessingFilter.class); }}Copy the codeModify MerryyouResourceServerConfig, increase authorization to the set path
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.formLogin()
.successHandler(appLoginInSuccessHandler)// Successful login handler
.and()
.apply(permitAllSecurityConfig)
.and()
.authorizeRequests()
.antMatchers("/user").hasRole("USER")
.antMatchers("/forbidden").hasRole("ADMIN")
.antMatchers("/permitAll").permitAll()
.anyRequest().authenticated().and()
.csrf().disable();
// @formatter:ON
}
Copy the code- For instructions on each path reference: Test the Spring Security Oauth2 API with Spring MVC
Example Modify the test class SecurityOauth2Test
Add the permitAllWithTokenTest method
@Test
public void permitAllWithTokenTest(a) throws Exception{
final String accessToken = obtainAccessToken();
log.info("access_token={}", accessToken);
String content = mockMvc.perform(get("/permitAll").header("Authorization"."bearer " + accessToken+"11"))
.andExpect(status().isOk())
.andReturn().getResponse().getContentAsString();
log.info(content);
}
Copy the codeAuthorization bearer xxx 11It’s followed by two random parameters
Results the following
When permitAllSecurityConfig is not configured
When configuring permitAllSecurityConfig
The code download
- Github:github.com/longfeizhen…
- Gitee:gitee.com/merryyou/se…
Recommend the article
- Java creates the blockchain family
- Spring Security source code analysis series
- Spring Data Jpa series
- All about Trees in Data Structures (Java Edition)
- SpringBoot+Docker+Git+Jenkins realize easy continuous integration and continuous deployment
🙂🙂🙂 focus on wechat small program Java architect journey Bored on the commute? Still reading novels, news? Don’t know how to improve your skills? Here’s the Java architecture article you need. 1.5W + Java engineers are reading it. What are you waiting for?