根据本文,我使用Spring Security为JWT制作了REST安全性 - https://www.toptal.com/java/rest-security-with-jwt-spring-security-and-java
特别是,我有一个过滤器,使用来自请求的“授权”标题的令牌来验证用户:
public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
public JwtAuthenticationFilter() {
super("/**");
}
@Override
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
return true;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
String header = request.getHeader("Authorization");
if (header == null || !header.startsWith("Bearer ")) {
throw new JwtTokenMissingException("No JWT token found in request headers");
}
String authToken = header.substring(7);
JwtAuthenticationToken authRequest = new JwtAuthenticationToken(authToken);
return getAuthenticationManager().authenticate(authRequest);
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult)
throws IOException, ServletException {
super.successfulAuthentication(request, response, chain, authResult);
// As this authentication is in HTTP header, after success we need to continue the request normally
// and return the response as if the resource was not secured at all
chain.doFilter(request, response);
}
}
因此,当处理请求我的过滤器每次都没有找到授权和HttpServletRequest对象和应用程序中的任何其他Headers信息时,会给出用户未经过身份验证的答案。 当我停用JWT安全过滤器时,相同的请求中包含所有标头。
我是否有任何想法如何解决此问题?
我的配置文件是:
?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd">
<!--activate @PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize annotations on any spring beans in the context-->
<global-method-security pre-post-annotations="enabled" />
<!--define the login and signup endpoints to skip security-->
<http pattern="/authenticate" security="none"/>
<!--we define the filter chain applied to all requests while adding two important configs: Entry point reference and -->
<!--setting the session creation to stateless (we do not want the session created for security purposes as -->
<!--we are using tokens for each request)-->
<http pattern="/**" entry-point-ref="restAuthenticationEntryPoint" create-session="stateless">
<!--We do not need csrf protection because our tokens are immune to it-->
<csrf disabled="true"/>
<!--we plug in our special authentication filter within the Spring’s predefined filter chain,-->
<!--just before the form login filter-->
<custom-filter before="FORM_LOGIN_FILTER" ref="jwtAuthenticationFilter"/>
</http>
<!--This bean is the declaration of our authentification filter; since it is extending Spring’s -->
<!--AbstractAuthenticationProcessingFilter, we need to declare it in XML to wire its properties -->
<!--(auto wire does not work here)-->
<beans:bean id="jwtAuthenticationFilter" class="by.eventcat.rest.security.JwtAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<!--The default success handler of AbstractAuthenticationProcessingFilter is not good enough for REST purposes -->
<!--because it redirects the user to a success page; that is why we set our own here-->
<beans:property name="authenticationSuccessHandler" ref="jwtAuthenticationSuccessHandler" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<!--The declaration of the provider created by the authenticationManager is used by our filter to authenticate users-->
<authentication-provider ref="jwtAuthenticationProvider" />
</authentication-manager>
<beans:bean id="restAuthenticationEntryPoint" class="by.eventcat.rest.security.RestAuthenticationEntryPoint"/>
<beans:bean id="jwtAuthenticationProvider" class="by.eventcat.rest.security.JwtAuthenticationProvider"/>
<beans:bean id="jwtUtil" class="by.eventcat.rest.security.JwtUtil"/>
答案 0 :(得分:1)
我已经添加到我的应用程序CORS配置中,这不仅会影响响应,还会影响请求。所以,对于我的web.xml,我添加了:
<!--CORS configuration-->
<filter>
<filter-name>corsFilter</filter-name>
<filter-class>by.eventcat.rest.MyCorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>corsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
MyCorsFilter是:
public class MyCorsFilter extends CorsFilter {
public MyCorsFilter() {
super(configurationSource());
}
private static UrlBasedCorsConfigurationSource configurationSource() {
CorsConfiguration config = new CorsConfiguration();
config.addAllowedOrigin("*");
config.addAllowedMethod("*");
config.addAllowedHeader("*");
config.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", config);
return source;
}
}