URL を無視するすべての Spring Security に関心がありますか?それとも、その特定のフィルターのみがリクエストを無視するようにしたいですか? すべての Spring Security でリクエストを無視する場合は、次を使用して実行できます。
@Configuration
@EnableWebSecurity
@Import(MyAppConfig.class)
public class MySecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MyTokenUserInfoCache userInfoCache;
@Autowired
private ServerStatusService serverStatusService;
@Override
public void configure(WebSecurity webSecurity) throws Exception
{
webSecurity
.ignoring()
// All of Spring Security will ignore the requests
.antMatchers("/resources/**")
.antMatchers(HttpMethod.POST, "/login");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.addFilter(tokenInfoTokenFilterSecurityInterceptor())
.authorizeRequests()
// this will grant access to GET /login too do you really want that?
.antMatchers("/login").permitAll()
.and()
.httpBasic().and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Bean
public TokenFilterSecurityInterceptor<TokenInfo> tokenInfoTokenFilterSecurityInterceptor() throws Exception
{
TokenService<TokenInfo> tokenService = new TokenServiceImpl(userInfoCache);
return new TokenFilterSecurityInterceptor<TokenInfo>(tokenService, serverStatusService, "RUN_ROLE");
}
}
その特定のフィルターのみが特定のリクエストを無視するようにしたい場合は、次のようにすることができます。
@Configuration
@EnableWebSecurity
@Import(MyAppConfig.class)
public class MySecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MyTokenUserInfoCache userInfoCache;
@Autowired
private ServerStatusService serverStatusService;
@Override
public void configure(WebSecurity webSecurity) throws Exception
{
webSecurity
.ignoring()
// ... whatever is here is ignored by All of Spring Security
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.addFilter(tokenInfoTokenFilterSecurityInterceptor())
.authorizeRequests()
// this will grant access to GET /login too do you really want that?
.antMatchers("/login").permitAll()
.and()
.httpBasic().and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Bean
public TokenFilterSecurityInterceptor<TokenInfo> tokenInfoTokenFilterSecurityInterceptor() throws Exception
{
TokenService<TokenInfo> tokenService = new TokenServiceImpl(userInfoCache);
TokenFilterSecurityInterceptor tokenFilter new TokenFilterSecurityInterceptor<TokenInfo>(tokenService, serverStatusService, "RUN_ROLE");
RequestMatcher resourcesMatcher = new AntPathRequestMatcher("/resources/**");
RequestMatcher posLoginMatcher = new AntPathRequestMatcher("/login", "POST");
RequestMatcher ignored = new OrRequestMatcher(resourcesMatcher, postLoginMatcher);
return new DelegateRequestMatchingFilter(ignored, tokenService);
}
}
public class DelegateRequestMatchingFilter implements Filter {
private Filter delegate;
private RequestMatcher ignoredRequests;
public DelegateRequestMatchingFilter(RequestMatcher matcher, Filter delegate) {
this.ignoredRequests = matcher;
this.delegate = delegate;
}
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) {
HttpServletRequest request = (HttpServletRequest) req;
if(ignoredRequests.matches(request)) {
chain.doFilter(req,resp,chain);
} else {
delegate.doFilter(req,resp,chain);
}
}
}