如何通过调用服务器提供的API对已认证用户的令牌进行认证

时间:2018-10-03 10:26:17

标签: spring security single-sign-on

@Override
    public Authentication authenticate(Authentication authenti) throws AuthenticationException {
        // TODO Auto-generated method stub
        //String token=authenti.implies("userdetails");
    //UserDetails u=(UserDetails) authenti.getDetails();
    //String accessToken=authenti.

    //String aceToken=HttpServletRequest.this.getAttribute("accessToken");
        return null;
    }

    @Override
    public boolean supports(Class<?> arg0) {
        // TODO Auto-generated method stub
        return false;
    }

1 个答案:

答案 0 :(得分:0)

我认为在您的情况下使用自定义AuthenticationProvider并不是最好的主意:在其覆盖的方法中,您已经在使用身份验证,因此应该在身份验证之前处理令牌。

过滤器是更好的选择:

@Component
public class JwtAuthenticationFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        try {
            String jwt = null;
            String token = request.getHeader(HttpHeaders.AUTHORIZATION);
            if (StringUtils.hasText(token) && token.startsWith("Bearer ")) {
                jwt = token.substring(7, token.length());
            }
            if (StringUtils.hasText(jwt) && tokenProvider.validateToken(jwt)) {
                Long personId = tokenProvider.getUserIdFromJWT(jwt); //it may be another identifier - unique name, email, etc.
                UserDetails userDetails = customDetailsService.loadUserById(personId);
                UsernamePasswordAuthenticationToken authentication =
                new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
                authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                SecurityContextHolder.getContext().setAuthentication(authentication);
            }
            filterChain.doFilter(request, response);
        } catch (JwtException exception) { //collecting custom exception from token provider class
        //create and send error
        //response.sendError or with response.getOutputStream()
        }
    }
}

之后,来自令牌的信息将位于Authentication实例中,您可以在任何地方进行处理。