Spring Security自定义AuthenticationProvider认证方法调用两次

时间:2017-08-29 12:26:17

标签: spring authentication spring-security

我正在开发一个使用API​​密钥进行身份验证的Spring Boot。我创建了一个自定义身份验证提供程序,并且两次调用authenticate方法。谁能告诉我为什么它会被叫两次?

这是我的身份验证方法:

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    ApiAuthenticationToken authenticationToken = (ApiAuthenticationToken) authentication;

    /**
     * Authenticate the token
     */
    ValidateApiKeyRequest request = new ValidateApiKeyRequest(authenticationToken.getApiKey());
    ValidateApiKeyResp resp = getValidateApiKeyCommand().execute(request);

    /**
     * Populate and return a new authenticaiton token
     */
    return createSuccessAuthentication(resp);
}

这是createSuccessAuthentication方法:

protected Authentication createSuccessAuthentication(final ValidateApiKeyResp resp) {
    List<GrantedAuthority> authorities = Lists.newArrayList();
    authorities.add(new SimpleGrantedAuthority("API_KEY"));
    return new ApiAuthenticationToken(resp.getApiKey(), authorities, true);
}

这是ApiAuthenticationToken构造函数:

public ApiAuthenticationToken(final ApiKey apiKey, Collection<? extends GrantedAuthority> authorities, boolean authenticated) {
    super(authorities);
    setAuthenticated(true);
    this.apiKey = apiKey;
}

这是我的安全配置:

protected void configure(HttpSecurity http) throws Exception {
    http.antMatcher(CONFIGURATION_MATCHER)
        .exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint())
        .and()
        .addFilterBefore(apiKeyAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
        .csrf().disable()
        .authorizeRequests().antMatchers(CONFIGURATION_MATCHER).authenticated()
        .and()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authenticationProvider(apiKeyAuthenticationProvider());

1 个答案:

答案 0 :(得分:0)

以防万一其他人有这个问题:

问题与我的弹簧安全配置有关。我有几个用@Bean注释的方法 - 见下文

@Bean
public ApiKeyAuthenticationProvider apiKeyAuthenticationProvider() {
    return new ApiKeyAuthenticationProvider(getValidateApiKeyCommand());
}

@Bean
public RestAuthenticationEntryPoint restAuthenticationEntryPoint() {
    return new RestAuthenticationEntryPoint();
}

@Bean
public ApiKeyAuthenticationFilter apiKeyAuthenticationFilter() throws Exception {
    ApiKeyAuthenticationFilter apiKeyAuthenticationFilter = new ApiKeyAuthenticationFilter();
    apiKeyAuthenticationFilter.setAuthenticationManager(authenticationManagerBean());
    apiKeyAuthenticationFilter.setAuthenticationSuccessHandler(new ApiKeyAuthenticationSuccessHandler());
    apiKeyAuthenticationFilter.setAuthenticationFailureHandler(new ApiKeyAuthenticationFailureHandler());
    return apiKeyAuthenticationFilter;
}

但是这些bean在configure(HttpSecurity http)方法中再次注册。

protected void configure(HttpSecurity http) throws Exception {

    http.antMatcher(CONFIGURATION_MATCHER)
        .exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint())
        .and()
        .addFilterBefore(apiKeyAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
        .csrf().disable()
        .authorizeRequests().antMatchers(CONFIGURATION_MATCHER).authenticated()
        .and()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authenticationProvider(apiKeyAuthenticationProvider());
}

修复是删除@Bean注释。现在似乎显而易见:)

相关问题
最新问题