彈簧（引導）安全預認證與允許的資源仍然認證

Question

我使用Spring Boot 1.5.6（也試過1.5.4）。 我使用的是

RequestHeaderAuthenticationFilter 

和

PreAuthenticatedAuthenticationProvider 

，以確保我的Spring MVC的Web應用程序，並允許訪問這兩個控制器的路徑和靜態資源。

在我

RequestHeaderAuthenticationFilter 

成立我想

setExceptionIfHeaderMissing(true); 

，讓我知道，如果頭變量在請求被髮送。

當我嘗試訪問任何許可的資源的使用，Spring Security看起來總是在請求頭變量，並拋出一個

PreAuthenticatedCredentialsNotFoundException 

爲什麼春季安全仍試圖查找該預驗證主要即使我正在嘗試訪問允許的（不受保護的）資源？ 我如何繞過這種行爲？

我對WebSecurityConfigurerAdapter Java的配置低於

@Configuration 
@EnableWebSecurity 
public class SecurityConfig extends WebSecurityConfigurerAdapter{ 


private static final Logger log = LoggerFactory.getLogger(SecurityConfig.class); 


@Autowired 
protected UserDetailsService userDetailsService; 



@Bean 
public PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider(){ 

    log.info("Configuring pre authentication provider"); 

    UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = 
      new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(
        userDetailsService); 

    PreAuthenticatedAuthenticationProvider it = new PreAuthenticatedAuthenticationProvider(); 
    it.setPreAuthenticatedUserDetailsService(wrapper); 

    return it;  
} 

@Bean 
public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter() throws Exception{ 

    RequestHeaderAuthenticationFilter it = new RequestHeaderAuthenticationFilter(); 
    it.setAuthenticationManager(authenticationManager()); 
    it.setExceptionIfHeaderMissing(true); 
    return it; 
} 

@Override 
public void configure(AuthenticationManagerBuilder auth) throws Exception { 
    log.info("configure authentication provider"); 
    auth.authenticationProvider(preAuthenticatedAuthenticationProvider()); 

} 


@Override 
protected void configure(HttpSecurity http) throws Exception { 
    log.info("Configure HttpSecurity"); 
    http 
     .authorizeRequests() 
      .antMatchers("/permitted/**", "/css/**", "/js/**", "/images/**", "/webjars/**") 
       .permitAll() 
      .anyRequest() 
        .authenticated() 
      .and().addFilter(requestHeaderAuthenticationFilter()) 

    ; 
}  


@Override 
public void configure(WebSecurity web) throws Exception { 
    web 
     .ignoring() 
      .antMatchers("/permitted/**", "/css/**", "/js/**", "/images/**", "/webjars/**"); 
} 
} 

Answer 1

我有同樣的問題，事實證明這是相關的事實，除了被註冊到SecurityFilterChain，春天引導也註冊RequestHeaderAuthenticationFilter與Servlet上下文。解決方法是使用FilterRegistrationBean來防止Boot通過Servlet Context自動註冊過濾器。

更多細節在這裏： Spring Boot Security PreAuthenticated Scenario with Anonymous access