我有一个通过JWT进行身份验证的Spring Boot REST API。我的问题是我已经配置了Spring Security以允许不受限制地访问用于验证/auth/token的路径,但是当它不应该时,它仍然会访问我的安全过滤器。不知道我在哪里出错了,任何建议都被大量挪用
安全配置
public class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
public void configureAuthentication(AuthenticationManagerBuilder authenticationManagerBuilder)
throws Exception {
authenticationManagerBuilder
.userDetailsService(this.userDetailsService)
.passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public JwtAuthenticationFilter authenticationTokenFilter() throws Exception {
return new JwtAuthenticationFilter();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.antMatchers("/auth/token").permitAll() // do not authenticate
.anyRequest().authenticated()
// TODO: configure
.cors()
.and()
// TODO enable and configure
.csrf().disable()
// Unauthorized request handler
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
// Keep application security stateless
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// JWT security filter
httpSecurity.addFilterBefore(authenticationTokenFilter(),
UsernamePasswordAuthenticationFilter.class);
// Disable page caching to prevent cached REST responses
httpSecurity.headers().cacheControl();
}
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers(HttpMethod.POST, "/auth/token");
}
}
过滤器
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
// this runs
}
}
控制器
@RestController
public class AuthenticationController {
// Authenticate user
@RequestMapping(value = "/auth/token", method = RequestMethod.POST)
public ResponseEntity<?> createAuthenticationToken(HttpServletResponse response,
@RequestBody JwtAuthenticationRequest authenticationRequest, Device device) throws AuthenticationException {
// never gets to run
}
}
答案 0 :(得分:0)
感谢@dur询问我是否使用了Spring Boot,这使我得到了解决方案。
这让我开始考虑Spring Boot如何动态地为我们自动创建bean,这最终成为了罪魁祸首。事实证明我的JwtAuthenticationFilter类被Spring Boot自动放入过滤器链中,但是当我在安全配置中明确声明它时,它也被包含在安全过滤器链中。因此,尽管我在安全配置中的/auth/token方法中排除ignoring()是正确的,但这还不足以阻止过滤器在Spring Boot本身的上下文中发生。解决方案是配置一个bean,明确阻止它被Spring Boot添加
@Bean
public RegistrationBean jwtAuthFilterRegister(JwtAuthenticationFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
答案 1 :(得分:-1)
只是一个建议。
是否有可能,你不是认证,而是cors?
身份验证 - HTTP状态401
CORS - HTTP状态403
如果你启用了cors并且没有配置它,它就不允许任何来源请求。 来自CorsConfiguration javadoc:
默认情况下,新创建的CorsConfiguration不允许任何跨源请求,必须明确配置以指示应该允许的内容。