Security whole configuration does not take effect after the Gateway?

灵异事件？我的SecurityWhy does the configuration not take effect?？Why do I keep jumping to the login page?？

因为工作需要,项目中需要引入Spring Security这个安全框架（只是单纯的引入）,It seemed so simple at first,After the introduction, put it on the startup classSecurityIs it okay to exclude the automatic configuration class?？

说干就干,引入了Security依赖之后,我在@SpringBootApplication注解的参数exclude中将SecurityAutoConfigurationThis autoconfiguration class excludes,If the dependency of health check is introduced into the project, it is also necessary to addManagementWebSecurityAutoConfigurationThis autoconfiguration class excludes,因为在ManagementWebSecurityAutoConfigurationIn this automatic configuration class, he will turn onSecurity的自动配置.

弄完了,就这么简单！打包,发布,测试,没问题.

紧接着,It's time to add the gateway serviceSecurity依赖,有了前面的经验,CVDafa in one go,Then pack、发布、测试,漂亮,Like to ask to work overtime！！it actually let me log in？Why is it different from what I expected？

Then analyze the problem,Securityis a filter chain consisting of a set of filters,By default it will store the successful authentication information toSession对象中,next time according toSessionWhether there is personal information in the to determine whether you have been authenticated,I see it in other services as I did earlierSpringis not in the containerspringSecurityFilterChain这个对象的,But there is still in my gateway service！That road won't work,转换思维,Disable this authentication filter？How to let him fail？放行！！

Let all resources be released！

说干就干,于是就写了一个Security的配置类！

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig2 extends WebSecurityConfigurerAdapter {
    

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    
        http
                .authorizeRequests()
                .antMatchers("/**")
                .permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .csrf()
                .disable()
                .cors();
    }
}

写完,心里美滋滋,Thinking about getting to work,打包、发布、测试,what？why do you want me to log in？Is there a problem with my packing posture?？I repack、发布、测试,still want me to log in？I have a problem with this configuration？那行,I don't let all requests directly through the filter,I rewrote the config again！

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig2 extends WebSecurityConfigurerAdapter {
    

    @Override
    public void configure(WebSecurity web) throws Exception {
    
        web.ignoring().antMatchers("/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    
        http
                .authorizeRequests()
                .antMatchers("/**")
                .permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .csrf()
                .disable()
                .cors();
    }
}

又一次打包、发布、测试,Found the problem but still can't solve it！I'm in a hurry,It seems hopeless to fight the king tonight！

So I suddenly remembered that this is a gateway service！！Gateway跟SecuritySeems a bit incompatible！I didn't remember to think of it,在引入Gatewaywhen we need to excludespring-boot-starter-web这个依赖,because one of them iswebflux,一个是mvc,Thinking of this at this time,Shouldn't the configuration be different?？Then read the official introduction,It turns out that there are other configuration methods！

So I re-wrote a configuration class

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebFluxSecurity
public class SecurityConfig {
    

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity httpSecurity){
    
        httpSecurity
                .authorizeExchange()
                .pathMatchers("/**").permitAll()
                .pathMatchers(HttpMethod.OPTIONS).permitAll()
                .anyExchange().authenticated()
                .and()
                .csrf()
                .disable()
                .cors();
        return httpSecurity.build();
    }
}

打包、发布、测试,OK,问题解决！下班了！

It's a bit miserable to be trapped by this problem！