基于自定义令牌的身份验证

时间:2016-10-27 17:22:11

标签: java spring-security

我正在尝试根据请求标头中的自定义标记进行身份验证。

我已阅读this question的已接受答案,并创建了自定义令牌,过滤器和身份验证提供程序。

问题

当我尝试“GET / login”时:

  • 过滤器名为
  • 创建令牌
  • 未调用authenticationProvider。甚至它的方法supports也没有被调用!

在浏览器控制台中,我可以看到HTTP 302的{​​{1}}次来电。

有什么想法吗?

编辑:实际上,只有当我从角度调用端点时才会忽略身份验证提供程序(导致AJAX / XHR调用)。如果我从Postman调用端点,则调用身份验证提供程序。

编辑:Spring安全DEBUG日志:

/login

令牌:

2016-10-27 19:57:46.724 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@43bffae5
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/logout'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login at position 5 of 10 in additional filter chain; firing Filter: 'MyFilter'
2016-10-27 19:57:46.726 DEBUG 9752 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2016-10-27 19:57:46.726 DEBUG 9752 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2016-10-27 19:57:46.768 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy        : /login at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-10-27 19:57:46.769 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy        : /login at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-10-27 19:57:46.769 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-10-27 19:57:46.770 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-10-27 19:57:46.770 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy        : /login at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@43bffae5
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy        : /login at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/logout'
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy        : /login at position 5 of 10 in additional filter chain; firing Filter: 'MyFilter'
2016-10-27 19:57:46.772 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : HttpSession being created as SecurityContext is non-default
2016-10-27 19:57:46.774 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@17085d: Authentication: com.mycompany.myapp.configuration.MyToken@17085d: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities'
2016-10-27 19:57:46.774 DEBUG 9752 --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

过滤:

public class MyToken extends AbstractAuthenticationToken {

    private String token;

    public MyToken(String token) {
        super(null);
        this.token = token;
    }

    @Override
    public Object getCredentials() {
        return token;
    }

    @Override
    public Object getPrincipal() {
        return null;
    }
}

身份验证提供商:

public class MyFilter extends AbstractAuthenticationProcessingFilter {

    public MyFilter() {
        super("/login");
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
        String x_token = request.getHeader("x_token");
        String method = request.getMethod();
        if(x_token != null && method.equals("GET")) {
            return new MyToken(x_token);
        }
        return null;
    }
}

最后,安全配置

@Component
public class MyAuthenticationProvider implements AuthenticationProvider {
    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        MyToken token = (MyToken) authentication;
        if(token.getCredentials() != null) {
            token.setAuthenticated(true);
            return token;
        }
        return null;
    }

    @Override
    public boolean supports(Class<?> authentication) {
        return authentication.equals(MyToken.class);
    }
}

1 个答案:

答案 0 :(得分:0)

您必须在AuthenticationManager的自定义子类中调用AbstractAuthenticationProcessingFilter,请参阅Spring Security Reference

  

过滤器调用已配置的AuthenticationManager来处理每个身份验证请求。

另见AbstractAuthenticationProcessingFilter#attemptAuthentication

  

执行实际身份验证。   实现应该执行以下操作之一:

     
      
  1. 为经过身份验证的用户返回已填充的身份验证令牌,表示身份验证成功
  2.   
  3. 返回null,表示身份验证过程仍在进行中。在返回之前,实施应该执行完成该过程所需的任何其他工作。
  4.   
  5. 如果身份验证过程失败,则抛出AuthenticationException
  6.   

您的实施不会返回经过身份验证的令牌,请参阅日志:

  

存储到HttpSession的SecurityContext:&#39; org.springframework.security.core.context.SecurityContextImpl@17085d:身份验证:com.mycompany.myapp.configuration.MyToken@17085d:Principal:null;证书:[保护]; 经过身份验证:false ;细节:null;没有授予任何权力机构&#39;

另见: