Spring过滤器无法绕过某些请求

Question

@EnableWebSecurity
public class SecurityTokenConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .csrf().disable()
        // make sure we use stateless session; session won't be used to store user's state.
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)     
    .and()
        // handle an authorized attempts 
        .exceptionHandling().authenticationEntryPoint((req, rsp, e) -> rsp.sendError(HttpServletResponse.SC_UNAUTHORIZED))  
    .and()
       // Add a filter to validate the tokens with every request
       .addFilterBefore(new JwtTokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
    // authorization requests config
    .authorizeRequests()
       // allow all who are accessing "auth" service
       .antMatchers(HttpMethod.POST, "/${basePath:/}${version:/}/session/**").permitAll()  
       // must be an admin if trying to access admin area (authentication is also required here)
       // Any other request must be authenticated
       .anyRequest().authenticated(); 

}

}

上述过滤器无法允许 /session 请求绕过“JwtTokenAuthenticationFilter”。

有人知道这是什么问题吗？

Answer 1

您可以通过覆盖configure(WebSecurity) 方法以另一种方式实现它，如下所示：

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("**/session/**");
}

并删除antMatchers(HttpMethod.POST, "/${basePath:/}${version:/}/session/**").permitAll()