我有一个RESTful Web应用程序,希望实现基于令牌的身份验证。我能够发出一个令牌拦截带有过滤器类的请求,如下所示:
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
JpaConfiguration jpaConfiguration;
@Override
protected void configure(HttpSecurity http) throws Exception {
// disable caching
http.headers().cacheControl();
http.csrf().disable() // disable csrf for our requests.
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers(HttpMethod.POST, "/login").permitAll()
.anyRequest().authenticated()
.and()
// Here the login requests is filtered
.addFilterBefore(new JWTLoginFilter("/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class)
// Much probably here I have to filter other requests to check the presence of JWT in header,
// here i just add a commented block with teh name of the Filter
//.addFilterBefore(new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
;
}
}
JWTLoginFilter类如下所示:
public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter {
private TokenAuthenticationService tokenAuthenticationService;
public JWTLoginFilter(String url, AuthenticationManager authenticationManager) {
super(new AntPathRequestMatcher(url));
setAuthenticationManager(authenticationManager);
tokenAuthenticationService = new TokenAuthenticationService();
}
@Override
public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse)
throws AuthenticationException, IOException, ServletException {
ServletInputStream inputStream = httpServletRequest.getInputStream();
httpServletRequest.getCharacterEncoding();
ObjectMapper mapper = new ObjectMapper();
AccountCredentials credentials = mapper.readValue(inputStream, AccountCredentials.class);
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(credentials.getUsername(), credentials.getPassword());
return getAuthenticationManager().authenticate(token);
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication)
throws IOException, ServletException {
String name = authentication.getName();
tokenAuthenticationService.addAuthentication(response, name);
}
}
哪个类应该扩展JWTAuthenticationFilter以拦截请求?
它仍然是AbstractAuthenticationProcessingFilter类吗?
有没有更好的方法来开发基于令牌的身份验证?
答案 0 :(得分:0)
我不确切知道为什么使用JWTLoginFilter。我正在开发一个开发由OAuth2保护的RESTful的项目。概括地说,请求者必须将访问令牌与REST API一起传递以进行授权。
以下是可能是参考的示例
@Configuration
@EnableResourceServer
public class Oauth2AuthConfiguration implements ResourceServerConfigurer {
@Autowired
private OAuth2RemoteTokenServices tokenServices;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.tokenServices(tokenServices);
}
@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.exceptionHandling()
.accessDeniedHandler(new PPDAccessDeniedHandler())
.authenticationEntryPoint(new PPDAuthenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers(POST, "/api/test").hasAuthority("PARTNER");
}
}
OAuth2RemoteTokenServices.java
public class OAuth2RemoteTokenServices implements ResourceServerTokenServices{
//implement how you can validate token here
// reference: org.springframework.security.oauth2.provider.token.RemoteTokenServices
}
答案 1 :(得分:0)
所以我终于找到了解决方案:
public class JWTAuthenticationFilter extends GenericFilterBean implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
try{
...
SecurityContextHolder.getContext().setAuthentication(token);
chain.doFilter(servletRequest, response);
}catch(Exception e){
e.printStackTrace();
}
}
}
JWTAuthenticationFilter扩展了一个GenericFilterBean类,并且必须实现一个Spring安全过滤器,方法doFilter可以解决这个问题。
注意:您必须从doFilter课程调用FilterChain方法,除非您新来到端点,我对此感到疯狂。