我正在为Angular 5应用程序创建API。我想用JWT进行身份验证 我想使用spring security提供的功能,这样我就可以轻松地使用角色了。
我设法禁用基本身份验证。但是当使用http.authorizeExchange().anyExchange().authenticated();时,我仍然会收到登录提示
我想给403而不是提示。所以用“事物”(它是一个过滤器吗?)来覆盖登录提示,它会检查令牌的Authorization标题。
我只想在将返回JWT令牌的控制器中进行登录。但是我应该用什么Spring安全bean来检查用户凭据?我可以构建自己的服务和存储库,但我想尽可能使用spring security提供的功能。
这个问题的简短版本只是:
如何自定义Spring security的身份验证?
我需要创建什么豆?
我在哪里放置配置? (我现在有一个SecurityWebFilterChain)
我能找到的关于具有spring security的webflux身份验证的唯一文档是:https://docs.spring.io/spring-security/site/docs/5.0.0.BUILD-SNAPSHOT/reference/htmlsingle/#jc-webflux
答案 0 :(得分:20)
经过大量的搜索和尝试,我认为我找到了解决方案:
您需要一个包含所有配置的SecurityWebFilterChain bean
这是我的:
@Configuration
public class SecurityConfiguration {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private SecurityContextRepository securityContextRepository;
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
// Disable default security.
http.httpBasic().disable();
http.formLogin().disable();
http.csrf().disable();
http.logout().disable();
// Add custom security.
http.authenticationManager(this.authenticationManager);
http.securityContextRepository(this.securityContextRepository);
// Disable authentication for `/auth/**` routes.
http.authorizeExchange().pathMatchers("/auth/**").permitAll();
http.authorizeExchange().anyExchange().authenticated();
return http.build();
}
}
我已禁用httpBasic,formLogin,csrf和logout,因此我可以进行自定义身份验证。
通过设置AuthenticationManager和SecurityContextRepository,我覆盖了默认的spring安全配置,以检查用户是否经过身份验证/授权请求。
身份验证管理器:
@Component
public class AuthenticationManager implements ReactiveAuthenticationManager {
@Override
public Mono<Authentication> authenticate(Authentication authentication) {
// JwtAuthenticationToken is my custom token.
if (authentication instanceof JwtAuthenticationToken) {
authentication.setAuthenticated(true);
}
return Mono.just(authentication);
}
}
我不完全确定身份验证管理器的用途,但我认为要进行最终身份验证,因此在一切正常时设置authentication.setAuthenticated(true);。
SecurityContextRepository:
@Component
public class SecurityContextRepository implements ServerSecurityContextRepository {
@Override
public Mono<Void> save(ServerWebExchange serverWebExchange, SecurityContext securityContext) {
// Don't know yet where this is for.
return null;
}
@Override
public Mono<SecurityContext> load(ServerWebExchange serverWebExchange) {
// JwtAuthenticationToken and GuestAuthenticationToken are custom Authentication tokens.
Authentication authentication = (/* check if authenticated based on headers in serverWebExchange */) ?
new JwtAuthenticationToken(...) :
new GuestAuthenticationToken();
return new SecurityContextImpl(authentication);
}
}
在加载中,如果用户通过身份验证,我将根据serverWebExchange中的标头进行检查。我使用https://github.com/jwtk/jjwt。如果用户经过身份验证,我会返回不同类型的身份验证令牌。
答案 1 :(得分:5)
在我的旧项目中,我使用了这种配置:
@Configuration
@EnableWebSecurity
@Import(WebMvcConfig.class)
@PropertySource(value = { "classpath:config.properties" }, encoding = "UTF-8", ignoreResourceNotFound = false)
public class WebSecWebSecurityCfg extends WebSecurityConfigurerAdapter
{
private UserDetailsService userDetailsService;
@Autowired
@Qualifier("objectMapper")
private ObjectMapper mapper;
@Autowired
@Qualifier("passwordEncoder")
private PasswordEncoder passwordEncoder;
@Autowired
private Environment env;
public WebSecWebSecurityCfg(UserDetailsService userDetailsService)
{
this.userDetailsService = userDetailsService;
}
@Override
protected void configure(HttpSecurity http) throws Exception
{
JWTAuthorizationFilter authFilter = new JWTAuthorizationFilter
( authenticationManager(),//Auth mgr
env.getProperty("config.secret.symmetric.key"), //Chiave simmetrica
env.getProperty("config.jwt.header.string"), //nome header
env.getProperty("config.jwt.token.prefix") //Prefisso token
);
JWTAuthenticationFilter authenticationFilter = new JWTAuthenticationFilter
(
authenticationManager(), //Authentication Manager
env.getProperty("config.secret.symmetric.key"), //Chiave simmetrica
Long.valueOf(env.getProperty("config.jwt.token.duration")),//Durata del token in millisecondi
env.getProperty("config.jwt.header.string"), //nome header
env.getProperty("config.jwt.token.prefix"), //Prefisso token
mapper
);
http
.cors()
.and()
.csrf()
.disable()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.addFilter(authenticationFilter)
.addFilter(authFilter)
// Disabilitiamo la creazione di sessione in spring
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception
{
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
}
@Bean
CorsConfigurationSource corsConfigurationSource()
{
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
return source;
}
}
JWTAuthorizationFilter的位置:
public class JWTAuthorizationFilter extends BasicAuthenticationFilter
{
private static final Logger logger = LoggerFactory.getLogger(JWTAuthenticationFilter.class.getName());
private String secretKey;
private String headerString;
private String tokenPrefix;
public JWTAuthorizationFilter(AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint, String secretKey, String headerString, String tokenPrefix)
{
super(authenticationManager, authenticationEntryPoint);
this.secretKey = secretKey;
this.headerString = headerString;
this.tokenPrefix = tokenPrefix;
}
public JWTAuthorizationFilter(AuthenticationManager authenticationManager, String secretKey, String headerString, String tokenPrefix)
{
super(authenticationManager);
this.secretKey = secretKey;
this.headerString = headerString;
this.tokenPrefix = tokenPrefix;
}
@Override
protected void onUnsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException
{
AuthenticationErrorEnum customErrorCode = null;
StringBuilder builder = new StringBuilder();
if( failed.getCause() instanceof MissingJwtTokenException )
{
customErrorCode = AuthenticationErrorEnum.TOKEN_JWT_MANCANTE;
}
else if( failed.getCause() instanceof ExpiredJwtException )
{
customErrorCode = AuthenticationErrorEnum.TOKEN_JWT_SCADUTO;
}
else if( failed.getCause() instanceof MalformedJwtException )
{
customErrorCode = AuthenticationErrorEnum.TOKEN_JWT_NON_CORRETTO;
}
else if( failed.getCause() instanceof MissingUserSubjectException )
{
customErrorCode = AuthenticationErrorEnum.TOKEN_JWT_NESSUN_UTENTE_TROVATO;
}
else if( ( failed.getCause() instanceof GenericJwtAuthorizationException ) || ( failed.getCause() instanceof Exception ) )
{
customErrorCode = AuthenticationErrorEnum.ERRORE_GENERICO;
}
builder.append("Errore duranre l'autorizzazione. ");
builder.append(failed.getMessage());
JwtAuthApiError apiError = new JwtAuthApiError(HttpStatus.UNAUTHORIZED, failed.getMessage(), Arrays.asList(builder.toString()), customErrorCode);
String errore = ( new ObjectMapper() ).writeValueAsString(apiError);
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.sendError(HttpStatus.UNAUTHORIZED.value(), errore);
request.setAttribute(IRsConstants.API_ERROR_REQUEST_ATTR_NAME, apiError);
}
JWTAuthenticationFilter是
public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter
{
private AuthenticationManager authenticationManager;
private String secretKey;
private long tokenDurationMillis;
private String headerString;
private String tokenPrefix;
private ObjectMapper mapper;
@Override
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException
{
AuthenticationErrorEnum customErrorCode = null;
StringBuilder builder = new StringBuilder();
if( failed instanceof BadCredentialsException )
{
customErrorCode = AuthenticationErrorEnum.CREDENZIALI_SERVIZIO_ERRATE;
}
else
{
//Teoricamente nella fase di autenticazione all'errore generico non dovrebbe mai arrivare
customErrorCode = AuthenticationErrorEnum.ERRORE_GENERICO;
}
builder.append("Errore durante l'autenticazione del servizio. ");
builder.append(failed.getMessage());
JwtAuthApiError apiError = new JwtAuthApiError(HttpStatus.UNAUTHORIZED, failed.getMessage(), Arrays.asList(builder.toString()), customErrorCode);
String errore = mapper.writeValueAsString(apiError);
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.sendError(HttpStatus.UNAUTHORIZED.value(), errore);
request.setAttribute(IRsConstants.API_ERROR_REQUEST_ATTR_NAME, apiError);
}
public JWTAuthenticationFilter(AuthenticationManager authenticationManager, String secretKey, long tokenDurationMillis, String headerString, String tokenPrefix, ObjectMapper mapper)
{
super();
this.authenticationManager = authenticationManager;
this.secretKey = secretKey;
this.tokenDurationMillis = tokenDurationMillis;
this.headerString = headerString;
this.tokenPrefix = tokenPrefix;
this.mapper = mapper;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res) throws AuthenticationException
{
try
{
ServiceLoginDto creds = new ObjectMapper().readValue(req.getInputStream(), ServiceLoginDto.class);
return authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(creds.getCodiceServizio(), creds.getPasswordServizio(), new ArrayList<>()));
}
catch (IOException e)
{
throw new RuntimeException(e);
}
}
@Override
protected void successfulAuthentication(HttpServletRequest req, HttpServletResponse res, FilterChain chain, Authentication auth) throws IOException, ServletException
{
DateTime dt = new DateTime();
Date expirationTime = dt.plus(getTokenDurationMillis()).toDate();
String token = Jwts
.builder()
.setSubject(((User) auth.getPrincipal()).getUsername())
.setExpiration(expirationTime)
.signWith(SignatureAlgorithm.HS512, getSecretKey().getBytes())
.compact();
res.addHeader(getHeaderString(), getTokenPrefix() + token);
res.addHeader("jwtExpirationDate", expirationTime.toString());
res.addHeader("jwtTokenDuration", String.valueOf(TimeUnit.MILLISECONDS.toMinutes(getTokenDurationMillis()))+" minuti");
}
public String getSecretKey()
{
return secretKey;
}
public void setSecretKey(String secretKey)
{
this.secretKey = secretKey;
}
public long getTokenDurationMillis()
{
return tokenDurationMillis;
}
public void setTokenDurationMillis(long tokenDurationMillis)
{
this.tokenDurationMillis = tokenDurationMillis;
}
public String getHeaderString()
{
return headerString;
}
public void setHeaderString(String headerString)
{
this.headerString = headerString;
}
public String getTokenPrefix()
{
return tokenPrefix;
}
public void setTokenPrefix(String tokenPrefix)
{
this.tokenPrefix = tokenPrefix;
}
}
用户详细信息是经典的用户服务详细信息
@Service
public class UserDetailsServiceImpl implements UserDetailsService
{
@Autowired
private IServizioService service;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
{
Service svc;
try
{
svc = service.findBySvcCode(username);
}
catch (DbException e)
{
throw new UsernameNotFoundException("Errore durante il processo di autenticazione; "+e.getMessage(), e);
}
if (svc == null)
{
throw new UsernameNotFoundException("Nessun servizio trovato per il codice servizio "+username);
}
else if( !svc.getAbilitato().booleanValue() )
{
throw new UsernameNotFoundException("Servizio "+username+" non abilitato");
}
return new User(svc.getCodiceServizio(), svc.getPasswordServizio(), Collections.emptyList());
}
}
请注意我没有使用Spring webflux
我希望它有用
安吉洛
答案 2 :(得分:2)
谢谢Jan,您在我的Spring Webflux应用程序中自定义身份验证并安全访问apis,为您提供了很多帮助。
在我的情况下,我只需要读取标题来设置用户角色,我希望Spring安全性检查用户授权以保护对我的方法的访问。
您在SecurityConfiguration中为密钥提供了自定义http.securityContextRepository(this.securityContextRepository);(不需要自定义authenticationManager)。
感谢这个SecurityContextRepository我能够构建和设置自定义身份验证(简化如下)。
@Override
public Mono<SecurityContext> load(ServerWebExchange serverWebExchange) {
String role = serverWebExchange.getRequest().getHeaders().getFirst("my-header");
Authentication authentication =
new AnonymousAuthenticationToken("authenticated-user", someUser, AuthorityUtils.createAuthorityList(role) );
return Mono.just(new SecurityContextImpl(authentication));
}
因此我可以使用以下角色保护我的方法:
@Component
public class MyService {
@PreAuthorize("hasRole('ADMIN')")
public Mono<String> checkAdmin() {
// my secure method
}
}
答案 3 :(得分:2)
对于那些存在相同问题(Webflux + Custom Authentication + JWT)的人,我遵循代码希望可以对以后的某个人使用AuthenticationWebFilter,自定义ServerAuthenticationConverter和ReactiveAuthenticationManager来解决。
已测试最新版本(spring-boot 2.1.1.RELEASE)。
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class SpringSecurityConfiguration {
@Bean
public SecurityWebFilterChain configure(ServerHttpSecurity http) {
return http
.csrf()
.disable()
.headers()
.frameOptions().disable()
.cache().disable()
.and()
.authorizeExchange()
.pathMatchers(AUTH_WHITELIST).permitAll()
.anyExchange().authenticated()
.and()
.addFilterAt(authenticationWebFilter(), SecurityWebFiltersOrder.AUTHENTICATION)
.httpBasic().disable()
.formLogin().disable()
.logout().disable()
.build();
}
private AuthenticationWebFilter authenticationWebFilter() {
AuthenticationWebFilter authenticationWebFilter = new AuthenticationWebFilter(reactiveAuthenticationManager());
authenticationWebFilter.setServerAuthenticationConverter(new JwtAuthenticationConverter(tokenProvider));
NegatedServerWebExchangeMatcher negateWhiteList = new NegatedServerWebExchangeMatcher(ServerWebExchangeMatchers.pathMatchers(AUTH_WHITELIST));
authenticationWebFilter.setRequiresAuthenticationMatcher(negateWhiteList);
authenticationWebFilter.setSecurityContextRepository(new WebSessionServerSecurityContextRepository());
authenticationWebFilter.setAuthenticationFailureHandler(responseError());
return authenticationWebFilter;
}
}
public class JwtAuthenticationConverter implements ServerAuthenticationConverter {
private final TokenProvider tokenProvider;
public JwtAuthenticationConverter(TokenProvider tokenProvider) {
this.tokenProvider = tokenProvider;
}
private Mono<String> resolveToken(ServerWebExchange exchange) {
log.debug("servletPath: {}", exchange.getRequest().getPath());
return Mono.justOrEmpty(exchange.getRequest().getHeaders().getFirst(HttpHeaders.AUTHORIZATION))
.filter(t -> t.startsWith("Bearer "))
.map(t -> t.substring(7));
}
@Override
public Mono<Authentication> convert(ServerWebExchange exchange) {
return resolveToken(exchange)
.filter(tokenProvider::validateToken)
.map(tokenProvider::getAuthentication);
}
}
public class CustomReactiveAuthenticationManager extends UserDetailsRepositoryReactiveAuthenticationManager {
public CustomReactiveAuthenticationManager(ReactiveUserDetailsService userDetailsService) {
super(userDetailsService);
}
@Override
public Mono<Authentication> authenticate(Authentication authentication) {
if (authentication.isAuthenticated()) {
return Mono.just(authentication);
}
return super.authenticate(authentication);
}
}