0

I use Spring Boot 2.5.6. I want to skip specific URL (/doc.html).

I have created a JwtAuthenticationTokenFilter extending OncePerRequestFilter

@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException {
        //the logic of authentication
}

And then I create SecurityConfig extending WebSecurityConfigurerAdapter

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Order(1)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(WebSecurity web)
            throws Exception {
        web.ignoring()
                .antMatchers(HttpMethod.OPTIONS, "/**")
                .antMatchers("/doc.html");
    }

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
           .csrf().disable()
           .sessionManagement()
               .sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
           .authorizeRequests()
               .antMatchers("/doc.html").anonymous()
               .and()
           .requestMatchers().antMatchers("/doc.html");

but when I access localhost:8080/doc.html, the /doc.html didn't skip;

and I also try to override shouldNotFilter in JwtAuthenticationTokenFilter.java, but it did't work also:

@Override
    protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
        return (
                new AntPathMatcher().match("/doc.html", request.getServletPath()));
    }
dur
  • 15,689
  • 25
  • 79
  • 125
First Rain
  • 19
  • 3
  • 1
    why have you created a filter that already exists in spring security? please google the spring security reference and read the chapter on jwt – Toerktumlare Dec 17 '21 at 00:52
  • 2
    Your filter is an component, registered as part of the regular filter chain. It isn't part of the special security filter chain and thus will execute on each request. – M. Deinum Dec 17 '21 at 07:43

2 Answers2

1

You can create a simple array inside JwtAuthenticationTokenFilter if you want to bypass for multiple Urls.

For example:

    private static final String[] excluded_urls = {
            "/login",
            "**/doc.html"
    };

And then override shouldNotFilter method:

    @Override
    protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
        String url = request.getRequestURI();
        return Stream.of(excluded_urls).anyMatch(x -> pathMatcher.match(x, url));
    }

Where

pathMatcher = new AntPathMatcher();
//can be injected or create wherever required
Vikas
  • 46
  • 5
0

Your JwtAuthenticationTokenFilter will be picked up by Spring as a component and will be included in the filter chain and will not be automatically excluded through your SecurityConfig.

So overwriting shouldNotFilter seems like a valid approach and should work as expected.

You could try to use request.getRequestURI() instead of request.getServletPath() in order to ensure to match the actual request path. See this for further details.

eol
  • 23,236
  • 5
  • 46
  • 64