如何在多个SecurityFilterChain中添加额外的requestMatchers?

huangapple go评论97阅读模式
英文:

How to add additional requestMatchers in multiple SecurityFilterChain?

问题

以下是您要翻译的内容:

第一个 @Bean 如下所示:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(auth -> auth
        .requestMatchers("/api/core/**").permitAll()
        .anyRequest().authenticated()
    );

    return http.build();
}

而第二个 @Bean 应该添加额外的 requestMatchers

@Bean
public SecurityFilterChain filterChainAdditional(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(auth -> auth
        .requestMatchers("/api/module2/**").permitAll()
        .anyRequest().authenticated()
    );

    return http.build();
}

不幸的是,第二个方法 filterChainAdditional 按预期顺序被正确调用。
但它不扩展 requestMatchers

更加奇怪的是,在第二个 Bean 中,所有的 requestMatchers 似乎在 HttpSecurity 上下文中都不可用。

有人知道如何解决这个问题吗?

英文:

Lets assume I am adding some security in Spring Boot 3 using the SecurityFilterChain @Bean multiple times.

The first @Bean looks as follow:

<!-- laguage: java -->

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
	http.authorizeHttpRequests(auth -&gt; auth
		.requestMatchers(&quot;/api/core/**&quot;).permitAll()
		.anyRequest().authenticated()
	);

	return http.build();
}

While the second @Bean is supposed to add additional requestMatchers

<!-- language: java -->

@Bean
public SecurityFilterChain filterChainAdditional(HttpSecurity http) throws Exception {
	http.authorizeHttpRequests(auth -&gt; auth
		.requestMatchers(&quot;/api/module2/**&quot;).permitAll()
		.anyRequest().authenticated()
	);

	return http.build();
}

Unfortunately, the second method filterChainAdditional is correctly called in the expected order.
But it does not extend the requestMatchers.

Even more curious in the second bean all requestMatchers seem to be unavailable in the HttpSecurity context.

Anyone has an idea how to solve this probably?

答案1

得分: 2

根据我的理解,SecurityFilterChain beans 不会合并 requestMatchers,它们只会执行匹配的过滤器。

可能可行的选项(没有进行检查):

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        .securityMatcher("/api/core/**")
        .authorizeHttpRequests(auth -> auth
            .requestMatchers("/api/core/**").permitAll()
            .anyRequest().authenticated()
        );

    return http.build();
}

@Bean
public SecurityFilterChain filterChainAdditional(HttpSecurity http) throws Exception {
    http
        .securityMatcher("/api/module2/**")
        .authorizeHttpRequests(auth -> auth
            .requestMatchers("/api/module2/**").permitAll()
            .anyRequest().authenticated()
        );

    return http.build();
}
英文:

As I understand. SecurityFilterChain beans do not merge requestMatchers they just execute matched filters.

Option that may work (didn't check):

<!-- language: java -->

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        .securityMatcher(&quot;/api/core/**&quot;)
        .authorizeHttpRequests(auth -&gt; auth
            .requestMatchers(&quot;/api/core/**&quot;).permitAll()
            .anyRequest().authenticated()
        );
    
    return http.build();
}
@Bean
public SecurityFilterChain filterChainAdditional(HttpSecurity http) throws Exception {
    http
        .securityMatcher(&quot;/api/module2/**&quot;)
        .authorizeHttpRequests(auth -&gt; auth
            .requestMatchers(&quot;/api/module2/**&quot;).permitAll()
            .anyRequest().authenticated()
    );

    return http.build();
}

huangapple
  • 本文由 发表于 2023年3月3日 18:29:17
  • 转载请务必保留本文链接:https://go.coder-hub.com/75625901.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定