我一直在使用spring安全性,并且一直在尝试让JWTAuthorizationFilter可以处理我的请求,但是如果用户未按预期登录,过滤器的确会返回403禁止请求,但请求是仍然在不应该执行的时候执行。
例如,如果我有一种创建新项目的方法,则会创建该项目,并且服务器返回403,但预期的行为是403并且未创建任何项目。
我一直以https://github.com/devdojobr/springboot-essentials/blob/master/src/main/java/br/com/devdojo/config/JWTAuthenticationFilter.java作为参考,但我仍然没有运气。
我最好的猜测是这与过滤链有关,但我不太确定这可能是问题所在
我在下面附加了我的Filter类和SecurityConfig:
任何帮助或指针都很好。
JWTAuthorizationFilter.java
package uk.ac.qub.eeecs.csc3045.year1819.cs1.server.security;
import io.jsonwebtoken.Jwts;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.stereotype.Component;
import uk.ac.qub.eeecs.csc3045.year1819.cs1.server.service.SpringUserDetailService;
@Component
public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
@Value("${security.jwt.token.secret-key:secret-key}")
private String secretKey = "secret-key";
@Value("${security.jwt.token.expire-length:3600000}")
private long validityInMilliseconds = 3600000;
private final SpringUserDetailService springUserDetailService;
public JWTAuthorizationFilter(
AuthenticationManager authenticationManager, SpringUserDetailService springUserDetailService) {
super(authenticationManager);
this.springUserDetailService = springUserDetailService;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain chain) throws IOException, ServletException {
super.doFilterInternal(request, response, chain);
String header = request.getHeader("Authorization");
if (header == null || !header.startsWith("Bearer ")) {
chain.doFilter(request, response);
return;
}
UsernamePasswordAuthenticationToken authenticationToken = getAuthenticationToken(request);
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
chain.doFilter(request,response);
}
private UsernamePasswordAuthenticationToken getAuthenticationToken(HttpServletRequest request) {
String token = request.getHeader("Authorization");
if (token != null) {
//parse token
String user = Jwts.parser()
.setSigningKey(secretKey)
.parseClaimsJws(token.replace("Bearer ", ""))
.getBody()
.getSubject();
UserDetails userDetails = springUserDetailService.loadUserByUsername(user);
if (user != null) {
return new UsernamePasswordAuthenticationToken(user, null, userDetails.getAuthorities());
}
return null;
}
return null;
}
}
SecurityConfig.java
package uk.ac.qub.eeecs.csc3045.year1819.cs1.server.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import uk.ac.qub.eeecs.csc3045.year1819.cs1.server.security.JWTAuthorizationFilter;
import uk.ac.qub.eeecs.csc3045.year1819.cs1.server.service.SpringUserDetailService;
/**
* Configuration settings for management of JWT.
*
* JWT Implementation adapted from @see <a href="https://jwt.io/</a>
*/
@Configuration
@EnableConfigurationProperties
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private SpringUserDetailService springUserDetailService;
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
/**
* Configure settings for JWT.
*
* @param http Spring security builder.
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().authorizeRequests()
.antMatchers("/v2/users/login").permitAll()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthorizationFilter(authenticationManager(), springUserDetailService));
}
}
答案 0 :(得分:0)
找不到任何UserDetails时,不应继续执行过滤器链。
尝试扔AuthenticationException并通过AuthenticationEntryPoint开始。
您可以检查Spring Security JWT : JwtAuthorizationFilter上的确切行为