Question

我正在使用spring 4和hibernate 5.

以下是我的spring安全性的xml配置。

我有这一行：

<intercept-url pattern="/android/download"          access="permitAll" />

当我尝试从SOAPUI访问时，我得到的只是

Authentication request failed: com.test.common.JwtTokenMissingException: No token found in request headers. Please login again!
com.test.common.JwtTokenMissingException: No token found in request headers. Please login again!

我的配置文件有问题吗？我不希望设置为security="none"，因为我希望它能够通过春季安检。

可能是我的 CustomAuthenticationFilter 类中进行身份验证的顺序吗？

Spring security的XML文件：

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security.xsd
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans.xsd
      http://www.springframework.org/schema/context
      http://www.springframework.org/schema/context/spring-context.xsd">

    <sec:http auto-config="false" create-session="stateless" entry-point-ref="customEntryPoint" use-expressions="true">
        <intercept-url pattern="/admin/**"                  access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
        <intercept-url pattern="/agent/**"                  access="isFullyAuthenticated()" />
        <intercept-url pattern="/analysis/**"               access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC') or hasRole('OPS')" />
        <intercept-url pattern="/android/download"          access="permitAll" />
        <intercept-url pattern="/android/**"                access="hasRole('ADMIN') or hasRole('SNF_AGENT')" />
        <intercept-url pattern="/audit/**"                  access="hasRole('ADMIN')" />
        <intercept-url pattern="/auth/logout"               access="isFullyAuthenticated()" />
        <intercept-url pattern="/external/**"               access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('SV_IC') or hasRole('IC') " />
        <intercept-url pattern="/index.xhtml"               access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
        <intercept-url pattern="/misc/**"                   access="isFullyAuthenticated()" />
        <intercept-url pattern="/mission/missions/search"   access="isFullyAuthenticated()" />
        <intercept-url pattern="/mission/**"                access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('SV_IC')" />
        <intercept-url pattern="/report/**"                 access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
        <intercept-url pattern="/request/**"                access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC') or hasRole('OPS')" />
        <intercept-url pattern="/target/**"                 access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC')" />
        <intercept-url pattern="/trawling/**"               access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />

        <intercept-url pattern="/**"                        access="denyAll" />     

        <sec:custom-filter ref="customAuthenticationFilter"
            before="PRE_AUTH_FILTER" />

        <sec:csrf disabled="true" />

    </sec:http>

    <sec:authentication-manager alias="authenticationManager">
        <authentication-provider ref="customAuthenticationProvider" />
    </sec:authentication-manager>

    <beans:bean id="customAuthenticationFilter"
        class="com.test.common.CustomAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="authenticationSuccessHandler"
            ref="customSuccessHandler" />
    </beans:bean>

    <beans:bean id="customSuccessHandler" class="com.test.common.CustomSuccessHandler" />

</beans:beans>

/ **已编辑** /

我错过了 CustomAuthenticationFilter 类的这部分代码：

@Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
    {
        String header = request.getHeader(this.tokenHeader);

        if (request.getServletPath().contains(".xhtml"))
        {
            header = (String) request.getSession().getAttribute("token");
        }

        if (header == null || !header.startsWith(PropertiesUtil.TOKEN_HEADER))
        {
            throw new JwtTokenMissingException(msgProperty.getProperty(MessageUtil.ERR_AUTH_NO_TOKEN));
        }

        String authToken = header.substring(PropertiesUtil.TOKEN_HEADER.length());

        JwtAuthenticationToken authRequest = new JwtAuthenticationToken(authToken);

        return getAuthenticationManager().authenticate(authRequest);
    }

Answer 1

permitAll意味着任何身份验证，即使AnonymousAuthenticationToken都是允许的，但是您的请求永远不会那么远。你有一个自定义过滤器，我认为它来自AbstractAuthenticationProcessingFilter，并且由于过滤器在标头丢失时抛出异常，你请求永远不会进入AuthenticationManager！

有几种方法可以解决这个问题，这里有两种方法。

为不需要令牌的端点创建另一个过滤链<sec:http...>，并为此过滤器链使用AnonymousAuthenticationFilter。
如果缺少JWT标头，请从过滤器返回AnonymousAuthenticationToken。

希望这有帮助。

无法使用access =“permitAll”

1 个答案: