在与 API-Key 身份验证集成后,无法将 permitAll() 与 Spring Boot 2.3.4 一起使用以允许访问 Swagger UI
Unable to use permitAll() with Spring Boot 2.3.4 to allow access to Swagger UI after integrating with API-Key Authentication
我尝试通过以下方式将 API-Key 身份验证机制集成到 Spring 引导应用程序:
- 创建了一个扩展
AbstractPreAuthenticatedProcessingFilter 的 CustomAPIKeyAuthFilter,它从请求的 headers 中获取预先验证的主体。
public class CustomAPIKeyAuthFilter extends AbstractPreAuthenticatedProcessingFilter {
private String principalRequestHeader;
private String principalAuthKey;
public CustomAPIKeyAuthFilter(String principalRequestHeader, String principalAuthKey) {
this.principalRequestHeader = principalRequestHeader;
this.principalAuthKey = principalAuthKey;
}
@Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
return request.getHeader(principalRequestHeader);
}
@Override
protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
// anything to be returned here??
return "TBD";
}
}
- 创建
WebSecurityConfig 扩展 WebSecurityConfigurerAdapter。在这一个中,自定义过滤器被注入到重写的方法中 protected void configure(HttpSecurity httpSecurity) {}
@EnableWebSecurity
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${superuser}")
private String principalRequestHeader;
@Value("${superuserauthkey}")
private String principalRequestValue;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
CustomAPIKeyAuthFilter filter = new CustomAPIKeyAuthFilter(principalRequestHeader, principalRequestValue);
filter.setAuthenticationManager(new AuthenticationManager() {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String principal = (String) authentication.getPrincipal();
if (principalRequestValue.equals(principal)){
authentication.setAuthenticated(true);
} else {
throw new BadCredentialsException("Missing API Key");
}
return authentication;
}
});
httpSecurity.
cors().and().
csrf().disable().authorizeRequests()
.antMatchers("**swagger**").permitAll() // this is the part that is not working for me
.anyRequest().authenticated()
.and()
.addFilter(filter)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
正如您从上面的评论中看到的,即使我使用了 permitAll,如果我尝试访问正在运行的 Swagger UI,我也会在运行时收到错误 401 No pre-authenticated principal found in request在我的pom.xml中引入spring-boot-starter-security相关依赖之前。有没有更好的方法可以从需要基于 API-key 的身份验证的 URL 端点列表中单独排除 swagger UI?
注意:我使用的是springfox-swagger2实现的Swagger,使用的版本是2.8.0。
Swagger 有 api 安全级别应该允许的端点,在 WebSecurityConfig.class
中添加以下代码片段
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/v2/api-docs",
"/configuration/ui",
"/swagger-resources/**",
"/configuration/security",
"/swagger-ui.html",
"/webjars/**");
}
您也可以尝试 permitAll() 模式 included.This 将排除 swagger 的身份验证。
我尝试通过以下方式将 API-Key 身份验证机制集成到 Spring 引导应用程序:
- 创建了一个扩展
AbstractPreAuthenticatedProcessingFilter的CustomAPIKeyAuthFilter,它从请求的 headers 中获取预先验证的主体。
public class CustomAPIKeyAuthFilter extends AbstractPreAuthenticatedProcessingFilter {
private String principalRequestHeader;
private String principalAuthKey;
public CustomAPIKeyAuthFilter(String principalRequestHeader, String principalAuthKey) {
this.principalRequestHeader = principalRequestHeader;
this.principalAuthKey = principalAuthKey;
}
@Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
return request.getHeader(principalRequestHeader);
}
@Override
protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
// anything to be returned here??
return "TBD";
}
}
- 创建
WebSecurityConfig扩展WebSecurityConfigurerAdapter。在这一个中,自定义过滤器被注入到重写的方法中protected void configure(HttpSecurity httpSecurity) {}
@EnableWebSecurity
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${superuser}")
private String principalRequestHeader;
@Value("${superuserauthkey}")
private String principalRequestValue;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
CustomAPIKeyAuthFilter filter = new CustomAPIKeyAuthFilter(principalRequestHeader, principalRequestValue);
filter.setAuthenticationManager(new AuthenticationManager() {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String principal = (String) authentication.getPrincipal();
if (principalRequestValue.equals(principal)){
authentication.setAuthenticated(true);
} else {
throw new BadCredentialsException("Missing API Key");
}
return authentication;
}
});
httpSecurity.
cors().and().
csrf().disable().authorizeRequests()
.antMatchers("**swagger**").permitAll() // this is the part that is not working for me
.anyRequest().authenticated()
.and()
.addFilter(filter)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
正如您从上面的评论中看到的,即使我使用了 permitAll,如果我尝试访问正在运行的 Swagger UI,我也会在运行时收到错误 401 No pre-authenticated principal found in request在我的pom.xml中引入spring-boot-starter-security相关依赖之前。有没有更好的方法可以从需要基于 API-key 的身份验证的 URL 端点列表中单独排除 swagger UI?
注意:我使用的是springfox-swagger2实现的Swagger,使用的版本是2.8.0。
Swagger 有 api 安全级别应该允许的端点,在 WebSecurityConfig.class
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/v2/api-docs",
"/configuration/ui",
"/swagger-resources/**",
"/configuration/security",
"/swagger-ui.html",
"/webjars/**");
}
您也可以尝试 permitAll() 模式 included.This 将排除 swagger 的身份验证。