我试图为actuator端点启用基本的http身份验证,同时为api端点保持jwt身份验证。我尝试了以下配置:
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.anonymous()
.disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.antMatcher("/service/actuator/**")
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/service/api/**")
.authenticated()
.anyRequest()
.authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(restAuthenticationEntryPoint);
http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
}
然而,似乎我可以使用JWT令牌和基本验证以及actuator端点,而没有身份验证也适用于所有api端点。我把顺序弄乱了吗?有更好的方法吗?
以下内容适用于我
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.anonymous()
.disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/service/actuator/**")
.permitAll()
.and()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/service/api/**")
.authenticated()
.anyRequest()
.authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(restAuthenticationEntryPoint);
http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
}