我将春季靴子迁移到了版本2。不幸的是,我授权的管理方法似乎不再起作用。 没有得到403错误,我将无法使用/ getToken方法。这种方法至关重要,因为它使我可以对用户进行身份验证,从而知道他们是否有权访问资源
有人知道要使其重新工作需要进行哪些更改吗?
这里是我的配置
package restService.serv.api.util;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${declasin.userName}")
private String username;
@Value("${declasin.password}")
private String password;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers(HttpMethod.POST, "/api/notConnected/**").permitAll()
.antMatchers(HttpMethod.GET, "/api/notConnected/**").permitAll()
.antMatchers(HttpMethod.GET, "/v2/**").permitAll()
.antMatchers(HttpMethod.GET, "/swagger-ui.html**").permitAll()
.antMatchers(HttpMethod.POST, "/services/export/green-card/**").permitAll()
.antMatchers(HttpMethod.GET, "/services/export/green-card/**").permitAll()
.antMatchers("/swagger-resources/**").permitAll()
.antMatchers(HttpMethod.GET, "/null/swagger-resources/configuration/ui").permitAll()
.antMatchers(HttpMethod.GET, "/webjars/**").permitAll()
.antMatchers(HttpMethod.POST, "/getToken").permitAll()
.anyRequest().authenticated();
// We filter the api/login requests
http.addFilterBefore(new JWTLoginFilter("/getToken", authenticationManager()),
UsernamePasswordAuthenticationFilter.class)
// And filter other requests to check the presence of JWT in header
.addFilterBefore(new JWTAuthenticationFilter(),
UsernamePasswordAuthenticationFilter.class);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// Create a default account
auth.inMemoryAuthentication()
.withUser(username)
.password(password)
.roles("ADMIN");
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/getToken")
.and()
.ignoring()
.antMatchers(
HttpMethod.GET,
"/",
"/*.html",
"/favicon.ico",
"/**/*.html",
"/**/*.css",
"/**/*.js"
);
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/api/**", new CorsConfiguration().applyPermitDefaultValues());
return source;
}
}
,这里是我的登录过滤器:
public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter {
public JWTLoginFilter(String url, AuthenticationManager authManager) {
super(new AntPathRequestMatcher(url));
setAuthenticationManager(authManager);
}
@Override
public Authentication attemptAuthentication(
HttpServletRequest req, HttpServletResponse res)
throws AuthenticationException, IOException, ServletException {
AccountCredentials creds = new ObjectMapper()
.readValue(req.getInputStream(), AccountCredentials.class);
return getAuthenticationManager().authenticate(
new UsernamePasswordAuthenticationToken(
creds.getUsername(),
creds.getPassword(),
Collections.emptyList()
)
);
}
编辑: 在测试了另一项服务以进行授权后,我注意到它仅在/ gettoken上阻止。 webconfig安全性看起来不错。 从Spring Boot 1.5到2.0的过渡已经改变了有关生成服务令牌jwt的某些事情。
感谢您的帮助