在安全的 Spring Boot RESTful API 上为登录创建不安全的端点 - WebConfig 似乎被忽略了
Posted
技术标签:
【中文标题】在安全的 Spring Boot RESTful API 上为登录创建不安全的端点 - WebConfig 似乎被忽略了【英文标题】:Creating an unsecure endpoint for login on a secured Spring Boot RESTful API - WebConfig seemingly ignored 【发布时间】:2016-12-31 22:38:29 【问题描述】:感谢您查看我的问题!
我想要做什么:
我希望我的 RESTful API 有一个不安全的端点 /auth/login,它允许客户端获取 JWT 令牌以用于安全访问。
我做了什么:
我有一个 RESTful API,我通过使用启用了 Spring Security 模块的 Spring Initializr 快速初始化创建。经过数小时的教程和指南搜索(Spring Security 很难理解),我偶然发现了严重缺乏代码的this guide,但最后我找到了一个具有完整实现的GitLab repo该指南的,所以我已经完全下载了security 文件夹。唯一的问题是给定的实现配置为对所有 URL 进行身份验证(如 here on line 60 所示),而我希望 /auth/login 不安全。因此,我已更改配置覆盖以允许对我所需的不安全端点的所有请求:
WebSecurityConfig.java
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import java.util.Arrays;
@Configuration
@SuppressWarnings("SpringJavaAutowiringInspection")
@EnableWebSecurity
@EnableAutoConfiguration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
@Autowired
private JwtAuthenticationProvider authenticationProvider;
@Bean
@Override
public AuthenticationManager authenticationManager() throws Exception
return new ProviderManager(Arrays.asList(authenticationProvider));
@Bean
public JwtAuthenticationTokenFilter authenticationTokenFilterBean() throws Exception
JwtAuthenticationTokenFilter authenticationTokenFilter = new JwtAuthenticationTokenFilter();
authenticationTokenFilter.setAuthenticationManager(authenticationManager());
authenticationTokenFilter.setAuthenticationSuccessHandler(new JwtAuthenticationSuccessHandler());
return authenticationTokenFilter;
@Override
public void configure(WebSecurity web) throws Exception
web.ignoring()
.antMatchers("/auth/login/");
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception
httpSecurity
// we don't need CSRF because our token is invulnerable
.csrf().disable()
.authorizeRequests()
// allow anonymous resource requests
.antMatchers("/auth/login").permitAll()
// All urls must be authenticated (filter for token always fires (/**)
.anyRequest().authenticated()
.and()
// Call our errorHandler if authentication/authorisation fails
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler)
.and()
// don't create session
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); //.and()
// Custom JWT based security filter
httpSecurity
.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
// disable page caching
httpSecurity.headers().cacheControl();
有什么问题?
出于某种原因,每当我尝试向/auth/login 发出无令牌请求时,我的服务器的响应仍然是:
"timestamp":1472057590171,"status":401,"error":"Unauthorized","message":"Authentication Failed: No JWT token found in request headers","path":"/auth/login"
如果我使用令牌发出请求,就像我对安全端点所做的那样,则响应为 200 OK,并带有所有正确的响应正文。
这几乎就像服务器忽略了我的配置一样。在JwtAuthenticationTokenFilter.java 中,构造函数的super 包含一个字符串,该字符串指示应用过滤器的路径。就我而言,它适用于/**,或所有路径。根据this guide,配置应该覆盖它。
用于调试的额外数据:
JwtAuthenticationTokenFilter.java
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* Filter that orchestrates authentication by using supplied JWT token
*
* @author pascal alma
*/
public class JwtAuthenticationTokenFilter extends AbstractAuthenticationProcessingFilter
@Value("$jwt.header")
private String tokenHeader;
public JwtAuthenticationTokenFilter()
super("/**");
/**
* Attempt to authenticate request - basically just pass over to another method to authenticate request headers
*/
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
String header = request.getHeader(this.tokenHeader);
if (header == null || !header.startsWith("Bearer "))
throw new JwtTokenMissingException("No JWT token found in request headers");
String authToken = header.substring(7);
JwtAuthenticationToken authRequest = new JwtAuthenticationToken(authToken);
return getAuthenticationManager().authenticate(authRequest);
/**
* Make sure the rest of the filterchain is satisfied
*
* @param request
* @param response
* @param chain
* @param authResult
* @throws IOException
* @throws ServletException
*/
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult)
throws IOException, ServletException
super.successfulAuthentication(request, response, chain, authResult);
// As this authentication is in HTTP header, after success we need to continue the request normally
// and return the response as if the resource was not secured at all
chain.doFilter(request, response);
AuthController.java
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/auth")
public class AuthController
@RequestMapping(path="/login", method = RequestMethod.GET)
public String response()
return "Hey!";
Spring Boot 日志(包括对假定不安全的 /auth/login 的一个未经授权的请求)
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v1.4.0.RELEASE)
2016-08-25 01:02:46.367 INFO 21486 --- [ main] com.BackendApplication : No active profile set, falling back to default profiles: default
2016-08-25 01:02:46.423 INFO 21486 --- [ main] ationConfigEmbeddedWebApplicationContext : Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@384ad17b: startup date [Thu Aug 25 01:02:46 HKT 2016]; root of context hierarchy
2016-08-25 01:02:47.390 INFO 21486 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration' of type [class org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration$$EnhancerBySpringCGLIB$$afc52b37] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2016-08-25 01:02:47.424 INFO 21486 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration' of type [class org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration$$EnhancerBySpringCGLIB$$4872f371] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2016-08-25 01:02:47.432 INFO 21486 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'objectPostProcessor' of type [class org.springframework.security.config.annotation.configuration.AutowireBeanFactoryObjectPostProcessor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2016-08-25 01:02:47.433 INFO 21486 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler@57a48985' of type [class org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2016-08-25 01:02:47.440 INFO 21486 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration' of type [class org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration$$EnhancerBySpringCGLIB$$6d479623] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2016-08-25 01:02:47.448 INFO 21486 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'methodSecurityMetadataSource' of type [class org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2016-08-25 01:02:47.686 INFO 21486 --- [ main] org.xnio : XNIO version 3.3.6.Final
2016-08-25 01:02:47.696 INFO 21486 --- [ main] org.xnio.nio : XNIO NIO Implementation Version 3.3.6.Final
2016-08-25 01:02:47.743 WARN 21486 --- [ main] io.undertow.websockets.jsr : UT026009: XNIO worker was not set on WebSocketDeploymentInfo, the default worker will be used
2016-08-25 01:02:47.744 WARN 21486 --- [ main] io.undertow.websockets.jsr : UT026010: Buffer pool was not set on WebSocketDeploymentInfo, the default pool will be used
2016-08-25 01:02:47.753 INFO 21486 --- [ main] io.undertow.servlet : Initializing Spring embedded WebApplicationContext
2016-08-25 01:02:47.753 INFO 21486 --- [ main] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 1332 ms
2016-08-25 01:02:48.125 INFO 21486 --- [ main] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'characterEncodingFilter' to: [/*]
2016-08-25 01:02:48.126 INFO 21486 --- [ main] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
2016-08-25 01:02:48.126 INFO 21486 --- [ main] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'httpPutFormContentFilter' to: [/*]
2016-08-25 01:02:48.126 INFO 21486 --- [ main] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'requestContextFilter' to: [/*]
2016-08-25 01:02:48.127 INFO 21486 --- [ main] .s.DelegatingFilterProxyRegistrationBean : Mapping filter: 'springSecurityFilterChain' to: [/*]
2016-08-25 01:02:48.128 INFO 21486 --- [ main] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'authenticationTokenFilterBean' to: [/*]
2016-08-25 01:02:48.128 INFO 21486 --- [ main] o.s.b.w.servlet.ServletRegistrationBean : Mapping servlet: 'dispatcherServlet' to [/]
2016-08-25 01:02:48.283 INFO 21486 --- [ main] j.LocalContainerEntityManagerFactoryBean : Building JPA container EntityManagerFactory for persistence unit 'default'
2016-08-25 01:02:48.297 INFO 21486 --- [ main] o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [
name: default
...]
2016-08-25 01:02:48.339 INFO 21486 --- [ main] org.hibernate.Version : HHH000412: Hibernate Core 5.0.9.Final
2016-08-25 01:02:48.340 INFO 21486 --- [ main] org.hibernate.cfg.Environment : HHH000206: hibernate.properties not found
2016-08-25 01:02:48.341 INFO 21486 --- [ main] org.hibernate.cfg.Environment : HHH000021: Bytecode provider name : javassist
2016-08-25 01:02:48.366 INFO 21486 --- [ main] o.hibernate.annotations.common.Version : HCANN000001: Hibernate Commons Annotations 5.0.1.Final
2016-08-25 01:02:48.619 INFO 21486 --- [ main] org.hibernate.dialect.Dialect : HHH000400: Using dialect: org.hibernate.dialect.mysql5Dialect
2016-08-25 01:02:48.789 INFO 21486 --- [ main] org.hibernate.tool.hbm2ddl.SchemaUpdate : HHH000228: Running hbm2ddl schema update
2016-08-25 01:02:48.809 INFO 21486 --- [ main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default'
2016-08-25 01:02:48.886 INFO 21486 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/auth/login/'], []
2016-08-25 01:02:48.914 DEBUG 21486 --- [ main] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for Ant [pattern='/auth/login']
2016-08-25 01:02:48.915 DEBUG 21486 --- [ main] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'authenticated', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2016-08-25 01:02:48.919 DEBUG 21486 --- [ main] o.s.s.w.a.i.FilterSecurityInterceptor : Validated configuration attributes
2016-08-25 01:02:48.920 DEBUG 21486 --- [ main] o.s.s.w.a.i.FilterSecurityInterceptor : Validated configuration attributes
2016-08-25 01:02:48.922 INFO 21486 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@310d57b1, org.springframework.security.web.context.SecurityContextPersistenceFilter@22cb3d59, org.springframework.security.web.header.HeaderWriterFilter@2407a36c, org.springframework.security.web.authentication.logout.LogoutFilter@29bbc391, com..security.JwtAuthenticationTokenFilter@4c7e978c, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@5cff729b, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5a7b309b, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@143fefaf, org.springframework.security.web.session.SessionManagementFilter@28b8f98a, org.springframework.security.web.access.ExceptionTranslationFilter@6889f56f, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@6b867ee7]
2016-08-25 01:02:48.933 DEBUG 21486 --- [ main] o.s.s.a.i.a.MethodSecurityInterceptor : Validated configuration attributes
2016-08-25 01:02:48.996 INFO 21486 --- [ main] s.w.s.m.m.a.RequestMappingHandlerAdapter : Looking for @ControllerAdvice: org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@384ad17b: startup date [Thu Aug 25 01:02:46 HKT 2016]; root of context hierarchy
2016-08-25 01:02:49.052 INFO 21486 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "[/auth/login],methods=[GET]" onto public java.lang.String com..web.AuthController.response()
2016-08-25 01:02:49.053 INFO 21486 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "[/secure/],methods=[POST]" onto public com..model.Greeting com..web.MainController.homePage(java.lang.String)
2016-08-25 01:02:49.053 INFO 21486 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "[/secure/hello],methods=[GET]" onto public com..model.Greeting com..web.MainController.greeting(java.lang.String)
2016-08-25 01:02:49.053 INFO 21486 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "[/secure/user || /secure/me],methods=[POST]" onto public org.springframework.http.ResponseEntity<?> com..web.MainController.user(java.security.Principal)
2016-08-25 01:02:49.055 INFO 21486 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "[/error],produces=[text/html]" onto public org.springframework.web.servlet.ModelAndView org.springframework.boot.autoconfigure.web.BasicErrorController.errorHtml(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)
2016-08-25 01:02:49.056 INFO 21486 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "[/error]" onto public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> org.springframework.boot.autoconfigure.web.BasicErrorController.error(javax.servlet.http.HttpServletRequest)
2016-08-25 01:02:49.092 INFO 21486 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/webjars/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2016-08-25 01:02:49.092 INFO 21486 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2016-08-25 01:02:49.122 INFO 21486 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/**/favicon.ico] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2016-08-25 01:02:49.310 DEBUG 21486 --- [ main] eGlobalAuthenticationAutowiredConfigurer : Eagerly initializing webSecurityConfig=com..security.config.WebSecurityConfig$$EnhancerBySpringCGLIB$$12aaac67@47c40b56
2016-08-25 01:02:49.312 INFO 21486 --- [ main] o.s.j.e.a.AnnotationMBeanExporter : Registering beans for JMX exposure on startup
2016-08-25 01:02:49.344 INFO 21486 --- [ main] b.c.e.u.UndertowEmbeddedServletContainer : Undertow started on port(s) 8080 (http)
2016-08-25 01:02:49.347 INFO 21486 --- [ main] com.BackendApplication : Started BackendApplication in 3.256 seconds (JVM running for 3.461)
2016-08-25 01:02:57.681 DEBUG 21486 --- [ XNIO-3 task-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/auth/login'; against '/auth/login/'
2016-08-25 01:02:57.682 DEBUG 21486 --- [ XNIO-3 task-1] o.s.security.web.FilterChainProxy : /auth/login at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-08-25 01:02:57.682 DEBUG 21486 --- [ XNIO-3 task-1] o.s.security.web.FilterChainProxy : /auth/login at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-08-25 01:02:57.683 DEBUG 21486 --- [ XNIO-3 task-1] o.s.security.web.FilterChainProxy : /auth/login at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-08-25 01:02:57.684 DEBUG 21486 --- [ XNIO-3 task-1] o.s.security.web.FilterChainProxy : /auth/login at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-08-25 01:02:57.684 DEBUG 21486 --- [ XNIO-3 task-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
2016-08-25 01:02:57.684 DEBUG 21486 --- [ XNIO-3 task-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/auth/login'; against '/logout'
2016-08-25 01:02:57.684 DEBUG 21486 --- [ XNIO-3 task-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
2016-08-25 01:02:57.684 DEBUG 21486 --- [ XNIO-3 task-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /auth/login' doesn't match 'POST /logout
2016-08-25 01:02:57.684 DEBUG 21486 --- [ XNIO-3 task-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
2016-08-25 01:02:57.684 DEBUG 21486 --- [ XNIO-3 task-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /auth/login' doesn't match 'PUT /logout
2016-08-25 01:02:57.684 DEBUG 21486 --- [ XNIO-3 task-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
2016-08-25 01:02:57.684 DEBUG 21486 --- [ XNIO-3 task-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /auth/login' doesn't match 'DELETE /logout
2016-08-25 01:02:57.684 DEBUG 21486 --- [ XNIO-3 task-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2016-08-25 01:02:57.684 DEBUG 21486 --- [ XNIO-3 task-1] o.s.security.web.FilterChainProxy : /auth/login at position 5 of 11 in additional filter chain; firing Filter: 'JwtAuthenticationTokenFilter'
2016-08-25 01:02:57.684 DEBUG 21486 --- [ XNIO-3 task-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request '/auth/login' matched by universal pattern '/**'
2016-08-25 01:02:57.684 DEBUG 21486 --- [ XNIO-3 task-1] .a.SimpleUrlAuthenticationFailureHandler : No failure URL set, sending 401 Unauthorized error
2016-08-25 01:02:57.684 DEBUG 21486 --- [ XNIO-3 task-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@3225c3b4
2016-08-25 01:02:57.685 DEBUG 21486 --- [ XNIO-3 task-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2016-08-25 01:02:57.686 INFO 21486 --- [ XNIO-3 task-1] io.undertow.servlet : Initializing Spring FrameworkServlet 'dispatcherServlet'
2016-08-25 01:02:57.686 INFO 21486 --- [ XNIO-3 task-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started
2016-08-25 01:02:57.697 INFO 21486 --- [ XNIO-3 task-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 11 ms
【问题讨论】:
【参考方案1】:This example 稍旧(2015 年)并且不使用 Spring Security,但它是用于保护 Spring Boot 应用程序的 JWT 解决方案。作者还在 Github 上包含了他们的代码供参考,正如您所说的您一直在使用的帖子中缺少代码示例。
【讨论】:
它使用不同的过滤器。我必须改变我的整个过滤机制来适应这个例子。以上是关于在安全的 Spring Boot RESTful API 上为登录创建不安全的端点 - WebConfig 似乎被忽略了的主要内容,如果未能解决你的问题,请参考以下文章
无规矩不成方圆,聊一聊 Spring Boot 中 RESTful 接口设计规范
spring-boot实战04:Spring Boot构建RESTful API
Spring Boot + Spring Security Restful 登录