Spring Security intercept except annotated
http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().addFilterBefore(myGenericFilterBean, MyAuthenticationProcessingFilter.class)
Let's say I have a standard HttpSecurity protected endpoints, like:
and validators on specific endpoints.
I got a request to make a new validator for most of our endpoints, but instead of adding an annotation everywhere I thought that it could be safer if I secure the endpoints like
http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().addFilterBefore(myGenericFilterBean, MyAuthenticationProcessingFilter.class)
(Given that MyGenericFilterBean is something extending GenericFilterBean)
but I want to make it skip this myGenericFilterBean for any endpoint I annotate with an annotation I would create for example @DontCheckMyFilter
Is it even possible without going way too far to make it worth it?
得分: 1
在您的情况下,最好的选择是使用特定的 path
来避免访问那些端点,而不是使用自定义注释。原因是 Spring 过滤器提供了很多处理路径和角色的功能。
public class MyGenericFilterBean extends OncePerRequestFilter {
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
// 在这里执行您需要的操作
filterChain.doFilter(request, response);
// 您应该重写的方法,以避免执行此过滤器
protected boolean shouldNotFilter(HttpServletRequest request) {
Set<String> avoidFilterForUrls = new HashSet<>(Arrays.asList("/no-filter/**"));
AntPathMatcher pathMatcher = new AntPathMatcher();
return avoidFilterForUrls.stream().anyMatch(p -> pathMatcher.match(p, request.getServletPath()));
在上面的示例中,对于以 /no-filter
开头的请求,过滤器不会被执行(实际上 doFilterInternal
// 不需要身份验证的服务列表
//.antMatchers(GET, "/no-filter/**").permitAll()
// 其他任何请求都需要身份验证
.addFilterBefore(myGenericFilterBean, MyAuthenticationProcessingFilter.class)
自定义 shouldNotFilter
方法,过滤器将不会被执行,但是请注意,“您正在谈论”的 MyAuthenticationProcessingFilter
// 不需要身份验证的服务列表
// 取消注释并根据您自己的端点进行自定义
//.antMatchers(GET, "/no-filter/**").permitAll()
因为如果您在这些端点中包含了“基于角色的安全性”或其他任何安全性,您需要将其移除,因为 Spring 仍然会验证这些端点的安全性。我的意思是,如果您不想对这些端点应用 MyAuthenticationProcessingFilter
,则不应该为它们包含任何 Spring 安全功能。
The best option in your case is use an specific path
to avoid those endpoints, instead of a custom annotation. The reason is Spring filters provide a lot of functionality to work/deal with path and roles mainly.
So if you can change your approach, a possible solution could be:
public class MyGenericFilterBean extends OncePerRequestFilter {
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
// Do here what you need
filterChain.doFilter(request, response);
// Method you should overwrite to avoid the execution of this filter
protected boolean shouldNotFilter(HttpServletRequest request) {
Set<String> avoidFilterForUrls = new HashSet<>(Arrays.asList("/no-filter/**"));
AntPathMatcher pathMatcher = new AntPathMatcher();
return avoidFilterForUrls.stream().anyMatch(p -> pathMatcher.match(p, request.getServletPath()));
In the above example, the filter won't be executed (really doFilterInternal
won't be invoked) for the requests with Urls started with /no-filter
At this point, you need to take into account configure your security options correctly. Follow your example:
// List of services do not require authentication
//.antMatchers(GET, "/no-filter/**").permitAll()
// Any other request must be authenticated
.addFilterBefore(myGenericFilterBean, MyAuthenticationProcessingFilter.class)
Customizing shouldNotFilter
the filter won't be executed but, taking into account you "are talking" about MyAuthenticationProcessingFilter
, probably will be necessary to include those endpoints into the "whitelist" too, as you can see in:
// List of services do not require authentication
// Uncomment and customize with your own ones
//.antMatchers(GET, "/no-filter/**").permitAll()
Because if you have included a "role based security" or any other one in those endpoints, you need to remove it because Spring still verifies the security for them. I mean, if you don't want to apply MyAuthenticationProcessingFilter
to those endpoints, no Spring security functionality should be included for them.