在我的安全层中,我使用了两个过滤器:AjaxAuthenticationFilter和JWTAuthenticationFilter(它们都扩展了AbstractAuthenticationProcessingFilter)。对于第一个我想只使用oAjaxAuhtenticationProvider,而第二个只使用JwtAuthenticationProvider。
这是我的问题的主要原因我无法将它们分开(authenticationProviders)。
我已尝试过此代码,但无法正常工作:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
public static final String AUTHENTICATION_HEADER_NAME = "Authorization";
public static final String AUTHENTICATION_URL = "/api/auth/login";
public static final String REFRESH_TOKEN_URL = "/api/auth/token";
public static final String API_ROOT_URL = "/api/**";
@Autowired private RestAuthenticationEntryPoint authenticationEntryPoint;
@Autowired private AjaxAwareAuthenticationSuccessHandler successHandler;
@Autowired private AjaxAwareAuthenticationFailureHandler failureHandler;
@Autowired private AjaxAuthenticationProvider ajaxAuthenticationProvider;
@Autowired private JwtAuthenticationProvider jwtAuthenticationProvider;
@Autowired private AuthenticationManager authenticationManager;
@Autowired private ObjectMapper objectMapper;
protected AjaxLoginProcessingFilter buildAjaxLoginProcessingFilter(String loginEntryPoint) throws Exception {
AjaxLoginProcessingFilter filter =
new AjaxLoginProcessingFilter(loginEntryPoint, successHandler, failureHandler, objectMapper);
filter.setAuthenticationManager(authenticationManager);
return filter;
}
protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter(List<String> pathsToSkip, String pattern) {
SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, pattern);
JwtTokenAuthenticationProcessingFilter filter =
new JwtTokenAuthenticationProcessingFilter(failureHandler, matcher);
filter.setAuthenticationManager(this.authenticationManager);
return filter;
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
List<String> permitAllEndpointsList = Arrays.asList(
AUTHENTICATION_URL,
REFRESH_TOKEN_URL,
"/console"
);
http.
csrf().disable()
.exceptionHandling()
.authenticationEntryPoint(this.authenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(permitAllEndpointsList.toArray(new String[permitAllEndpointsList.size()]))
.permitAll()
.and()
.authorizeRequests()
.antMatchers(API_ROOT_URL).authenticated();
}
@Configuration
@Order(1)
public class AjaxWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.addFilterBefore(buildAjaxLoginProcessingFilter(AUTHENTICATION_URL), UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(ajaxAuthenticationProvider);
}
}
@Configuration
@Order(2)
public class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
List<String> permitAllEndpointsList = Arrays.asList(
AUTHENTICATION_URL,
REFRESH_TOKEN_URL,
"/console"
);
http
.csrf().disable()
.addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(permitAllEndpointsList, API_ROOT_URL),
UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(jwtAuthenticationProvider);
}
}
}
答案 0 :(得分:0)
感谢您的帮助。我的代码完全错了。错误的anotations和方法。
我解决了我的问题,将正确的authManager传递给目标配置(仅考虑):
@Configuration
@Order(1)
public class AjaxWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// TODO Auto-generated method stub
auth.authenticationProvider(ajaxAuthenticationProvider);
}
}
@Configuration
public class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// TODO Auto-generated method stub
auth.authenticationProvider(jwtAuthenticationProvider);
}
}
在使用order(1)的配置中,我必须定义antMacher强制:
.and()
.antMatcher("/api/auth/**")
.authorizeRequests()
.antMatchers(AUTHENTICATION_URL)
.permitAll()
在最后的配置中,我必须为&#34; / **&#34;
定义antMatchers.authorizeRequests()
.antMatchers("/**").authenticated()
最终结果:
@EnableWebSecurity
public class WebSecurityConfig {
public static final String AUTHENTICATION_HEADER_NAME = "Authorization";
public static final String AUTHENTICATION_URL = "/api/auth/login";
public static final String REFRESH_TOKEN_URL = "/api/auth/token";
public static final String API_ROOT_URL = "/api/**";
@Autowired private RestAuthenticationEntryPoint authenticationEntryPoint;
@Autowired private AjaxAwareAuthenticationSuccessHandler successHandler;
@Autowired private AjaxAwareAuthenticationFailureHandler failureHandler;
@Autowired private AjaxAuthenticationProvider ajaxAuthenticationProvider;
@Autowired private JwtAuthenticationProvider jwtAuthenticationProvider;
@Autowired private ObjectMapper objectMapper;
protected AjaxLoginProcessingFilter buildAjaxLoginProcessingFilter(String loginEntryPoint,
AuthenticationManager authManager) throws Exception {
AjaxLoginProcessingFilter filter =
new AjaxLoginProcessingFilter(loginEntryPoint, successHandler, failureHandler, objectMapper);
filter.setAuthenticationManager(authManager);
return filter;
}
protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter(String urlForFilter,
AuthenticationManager authManager) {
//SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, pattern);
JwtTokenAuthenticationProcessingFilter filter =
new JwtTokenAuthenticationProcessingFilter(failureHandler, urlForFilter);
filter.setAuthenticationManager(authManager);
return filter;
}
@Configuration
@Order(1)
public class AjaxWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// TODO Auto-generated method stub
auth.authenticationProvider(ajaxAuthenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.
csrf().disable()
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.antMatcher("/api/auth/**")
.authorizeRequests()
.antMatchers(AUTHENTICATION_URL)
.permitAll()
.and()
.addFilterBefore(buildAjaxLoginProcessingFilter(AUTHENTICATION_URL, super.authenticationManager()), UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(ajaxAuthenticationProvider);
}
}
@Configuration
public class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// TODO Auto-generated method stub
auth.authenticationProvider(jwtAuthenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/**").authenticated()
.and()
.addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(API_ROOT_URL, super.authenticationManager()),
UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(jwtAuthenticationProvider);
}
}
}