這個彈簧安全配置爲什麼會阻塞所有路徑？

Question

public class AuthenticationFilter extends GenericFilterBean { 

SecureService secureService; 

public AuthenticationFilter(SecureService secureService) { 
    this.secureService=secureService; 
} 

@Override 
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { 
    HttpServletRequest httpServletRequest=(HttpServletRequest)servletRequest; 
    Authentication authentication=secureService.getAuthentication(httpServletRequest); 
    if(authentication!=null) { 
     SecurityContextHolder.getContext().setAuthentication(authentication); 
     filterChain.doFilter(servletRequest, servletResponse); 
     SecurityContextHolder.getContext().setAuthentication(null); 
    } 
} 

} 


@Configuration 
@EnableWebSecurity 
public class AppSecurityConfiguration extends WebSecurityConfigurerAdapter { 

@Autowired 
SecureService secureService; 
@Override 
protected void configure(HttpSecurity http) throws Exception { 
    http.addFilterBefore(new AuthenticationFilter(secureService), BasicAuthenticationFilter.class) 
      .authorizeRequests() 
      .antMatchers(HttpMethod.GET, "/businesses/**").permitAll() 
      .antMatchers(HttpMethod.GET, "https://stackoverflow.com/users/login").permitAll() 
      .antMatchers(HttpMethod.POST, "https://stackoverflow.com/users/").permitAll() 
      .antMatchers(HttpMethod.GET, "/reviews/").permitAll() 
      .antMatchers(HttpMethod.GET, "/reviews/search").permitAll() 
      .antMatchers(HttpMethod.GET, "/reviews/**").permitAll() 
      .antMatchers("/").permitAll().and() 
      .authorizeRequests().anyRequest().authenticated(); 
} 
    @Bean 
    public AuthenticationManager authenticationManager() throws Exception { 
     return super.authenticationManagerBean(); 
    } 
} 

這個配置有什麼問題？我跟着這個link寫URL認證。但是我的應用一直阻止所有請求，忽略代碼中指定的所有匹配器。我搜索了一下，有人說規則的順序很重要。但即使我改變了訂單，AuthenticationFilter一直被調用，並保持阻止所有請求。

Answer 1

問題是您中斷了過濾器鏈。按照以下步驟操作，它應該可以工作。

@Override 
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { 
    HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest; 

     Authentication authentication = secureService.getAuthentication(httpServletRequest); 
     if (authentication != null) { 
      SecurityContextHolder.getContext().setAuthentication(authentication); 

     } 

     filterChain.doFilter(servletRequest, servletResponse); 
     SecurityContextHolder.getContext().setAuthentication(null); 
    } 

另一件事是，你扔一個UserNotFoundException你SecureService內如果HttpServlerRequest不包含身份驗證。 在這種情況下，你認爲在AuthenticationFilter中看起來爲空？

public Authentication getAuthentication(HttpServletRequest httpServletRequest) { 
    final String token=httpServletRequest.getHeader(Headers.AUTH_HEADER_NAME); 
    if(token!=null){ 
     final User user=parseToken(token); 
     if(user!=null){ 
      return new UserAuthentication(user); 
     } 
    } 
    return null; 
} 

，如果你想保持UserNotFoundException那麼只有改變doFilterMethod以下：所以在SecureService如果沒有認證存在返回null

@Override 
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { 
    HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest; 

    try { 
     Authentication authentication = secureService.getAuthentication(httpServletRequest); 
     if (authentication != null) { 
      SecurityContextHolder.getContext().setAuthentication(authentication); 
     } 
    }catch(UserNotFoundException e){ 
    }finally { 
     filterChain.doFilter(servletRequest, servletResponse); 
     SecurityContextHolder.getContext().setAuthentication(null); 
    } 

}