我正在尝试配置一个简单的自定义身份验证过滤器,用于在Web应用的每个页面上检查令牌,但' / login'页。现在,过滤器已启动并运行,但无论我更改了什么设置,都会在每个页面上调用过滤器,包括' / login'我已经设置为permitAll()。
当我访问localhost:8080 / login时,我希望它不会根据我的配置调用此过滤器,而是在过滤器中抛出异常,因为没有找到会话。
我的问题是如何将过滤器限制在除' / login'之外的所有页面。网页?
这是我的配置:
[NSLayoutConstraint deactivateConstraints:myConstraints];这是过滤器:
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
private UserDetailsService userDetailsService;
private PreAuthenticatedAuthenticationProvider preAuthenticatedProvider;
public SecurityConfig() {
super();
userDetailsService = new UserDetailsServiceImpl();
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper =
new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(userDetailsService);
preAuthenticatedProvider = new PreAuthenticatedAuthenticationProvider();
preAuthenticatedProvider.setPreAuthenticatedUserDetailsService(wrapper);
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(preAuthenticatedProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
OpenTokenRequestAuthenticationFilter filter = new OpenTokenRequestAuthenticationFilter();
filter.setAuthenticationManager(authenticationManager());
http
.addFilter(filter)
.authorizeRequests()
.antMatchers("/login").permitAll();
}
}
答案 0 :(得分:0)
以下代码过滤特定端点的未经授权/会话过期的请求。 Bean应该与端点URL一起配置,以便Auth过滤器将适用于该端点。现在,您可以只为所需的端点限制过滤器应用程序。
@Bean
public FilterRegistrationBean<AuthFilter> filterRegistrationBean() {
FilterRegistrationBean<AuthFilter> registrationBean = new FilterRegistrationBean<>();
AuthFilter authFilter = new AuthFilter();
registrationBean.setFilter(authFilter);
// Include the URL patterns for which the Auth filter should be applicable
registrationBean.addUrlPatterns("/api/protectedendpoint/*");
return registrationBean;
}
身份验证过滤器
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.filter.GenericFilterBean;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class AuthFilter extends GenericFilterBean {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
String authHeader = httpRequest.getHeader("Authorization");
if (authHeader != null) {
String[] authHeaderArr = authHeader.split("Bearer ");
if (authHeaderArr.length > 1 && authHeaderArr[1] != null) {
String token = authHeaderArr[1];
try {
Claims claims = Jwts.parser().setSigningKey(YOUR_JWT_SECRET_KEY).parseClaimsJws(token).getBody();
httpRequest.setAttribute("email", claims.get("email").toString());
} catch (Exception e) {
httpResponse.sendError(HttpStatus.FORBIDDEN.value(), "invalid/expired token");
return;
}
} else {
httpResponse.sendError(HttpStatus.FORBIDDEN.value(), "Authorization token must be Bearer [token]");
return;
}
} else {
httpResponse.sendError(HttpStatus.UNAUTHORIZED.value(), "Authorization token must be provided");
return;
}
chain.doFilter(httpRequest, httpResponse);
}
}```