The weasel set up a tablet on the cliff of the chicken farm, writing: “If you don’t fly down bravely, how do you know you are an eagle fighting in the sky? !”

From then on

Weasels eat dead chickens every day at the bottom of the cliff!


AntMatchers (“/permitAll”).permitall (), But if the Authorization in the header Bearer XXXX, OAuth2AuthenticationProcessingFilter will go to check the correctness of the Token, if the Token is legal, can normal visit, otherwise, the attempt failed. His requirement is that when configuring.permitall (), it can be accessed directly, even if it carries a Token.


According to Spring Security source analysis a: Spring Security authentication process that Spring – Security authentication for a series of filter chain. We need to define a filter interceptor specified request earlier than OAuth2AuthenticationProcessingFilter, remove the Authorization in the header Bearer XXXX.

Code changes

Add PermitAuthenticationFilter class

Add PermitAuthenticationFilter class interceptor specified request, to empty the Authorization header Bearer XXXX

public class PermitAuthenticationFilter extends OncePerRequestFilter {

    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {"Currently accessed address :{}", request.getRequestURI());
        if ("/permitAll".equals(request.getRequestURI())) {

            request = new HttpServletRequestWrapper(request) {
                private Set<String> headerNameSet;

                public Enumeration<String> getHeaderNames(a) {
                    if (headerNameSet == null) {
                        // first time this method is called, cache the wrapped request's header names:
                        headerNameSet = new HashSet<>();
                        Enumeration<String> wrappedHeaderNames = super.getHeaderNames();
                        while (wrappedHeaderNames.hasMoreElements()) {
                            String headerName = wrappedHeaderNames.nextElement();
                            if (!"Authorization".equalsIgnoreCase(headerName)) { headerNameSet.add(headerName); }}}return Collections.enumeration(headerNameSet);

                public Enumeration<String> getHeaders(String name) {
                    if ("Authorization".equalsIgnoreCase(name)) {
                        return Collections.<String>emptyEnumeration();
                    return super.getHeaders(name);

                public String getHeader(String name) {
                    if ("Authorization".equalsIgnoreCase(name)) {
                        return null;
                    return super.getHeader(name); }}; } filterChain.doFilter(request, response); }}Copy the code

Add the PermitAllSecurityConfig configuration

Add PermitAllSecurityConfig configuration is used to configure PermitAuthenticationFilter

public class PermitAllSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain.HttpSecurity> {

    private Filter permitAuthenticationFilter;

    public void configure(HttpSecurity http) throws Exception { http.addFilterBefore(permitAuthenticationFilter, OAuth2AuthenticationProcessingFilter.class); }}Copy the code

Modify MerryyouResourceServerConfig, increase authorization to the set path

    public void configure(HttpSecurity http) throws Exception {

        // @formatter:off
                .successHandler(appLoginInSuccessHandler)// Successful login handler

        // @formatter:ON
Copy the code
  • For instructions on each path reference: Test the Spring Security Oauth2 API with Spring MVC

Example Modify the test class SecurityOauth2Test

Add the permitAllWithTokenTest method

    public void permitAllWithTokenTest(a) throws Exception{
        final String accessToken = obtainAccessToken();"access_token={}", accessToken);
        String content = mockMvc.perform(get("/permitAll").header("Authorization"."bearer " + accessToken+"11"))
Copy the code
  • Authorization bearer xxx 11It’s followed by two random parameters

Results the following

When permitAllSecurityConfig is not configured

When configuring permitAllSecurityConfig

The code download


Recommend the article

  1. Java creates the blockchain family
  2. Spring Security source code analysis series
  3. Spring Data Jpa series
  4. All about Trees in Data Structures (Java Edition)
  5. SpringBoot+Docker+Git+Jenkins realize easy continuous integration and continuous deployment

🙂🙂🙂 focus on wechat small program Java architect journey Bored on the commute? Still reading novels, news? Don’t know how to improve your skills? Here’s the Java architecture article you need. 1.5W + Java engineers are reading it. What are you waiting for?