我正在构建休息服务,身份验证是基于JWT的,并且可以工作,但是我无法获得授权限制。例如,对于具有角色ROLE_ADMIN的用户,hasRole(“ ADMIN”)失败。
我以this article为起点,但对其进行了调整,以便用户可以扮演角色。身份验证有效,我可以看到调试用户何时获得了权限,但是无论如何,对于需要角色的端点,我还是会出错,例如:
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fdc35788: Principal: org.springframework.security.core.userdetails.User@682639e: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN, ROLE_USER
2019-02-15 23:57:15.177 TRACE 6135 --- [nio-8080-exec-3] o.s.web.servlet.DispatcherServlet : "ERROR" dispatch for POST "/error", parameters={}, headers={content-type:[application/json], cache-control:[no-cache], postman-token:[779a05e3-e918-480d-8a9d-96c4a336fe0d], authorization:[Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJzYXNoYSIsImV4cCI6MTU1MTEzOTAxN30.eEEeW0I6KdHOFj7_S3G1RzRJ__q_IrmmpaYhZfz897dW4pAPHkMLIC9JTSgVziC7sXiYTgD1IfzXiOEZqsML-w], user-agent:[PostmanRuntime/7.6.0], accept:[*/*], host:[localhost:8080], accept-encoding:[gzip, deflate], content-length:[176], connection:[keep-alive]} in DispatcherServlet 'dispatcherServlet'
2019-02-15 23:57:15.186 TRACE 6135 --- [nio-8080-exec-3] s.w.s.m.m.a.RequestMappingHandlerMapping : 2 matching mappings: [{ /error}, { /error, produces [text/html]}]
2019-02-15 23:57:15.188 TRACE 6135 --- [nio-8080-exec-3] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController.error(javax.servlet.http.HttpServletRequest)
2019-02-15 23:57:15.201 TRACE 6135 --- [nio-8080-exec-3] .w.s.m.m.a.ServletInvocableHandlerMethod : Arguments: [SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@fc17d0]]]
2019-02-15 23:57:15.211 DEBUG 6135 --- [nio-8080-exec-3] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Using 'application/json', given [*/*] and supported [application/json, application/*+json, application/json, application/*+json]
2019-02-15 23:57:15.213 TRACE 6135 --- [nio-8080-exec-3] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Writing [{timestamp=Fri Feb 15 23:57:15 GMT 2019, status=403, error=Forbidden, message=Forbidden, path=/api/u (truncated)...]
2019-02-15 23:57:15.224 TRACE 6135 --- [nio-8080-exec-3] o.s.web.servlet.DispatcherServlet : No view rendering, null ModelAndView returned.
2019-02-15 23:57:15.235 DEBUG 6135 --- [nio-8080-exec-3] o.s.web.servlet.DispatcherServlet : Exiting from "ERROR" dispatch, status 403, headers={X-Content-Type-Options:[nosniff], X-XSS-Protection:[1; mode=block], Cache-Control:[no-cache, no-store, max-age=0, must-revalidate], Pragma:[no-cache], Expires:[0], X-Frame-Options:[DENY], Content-Type:[application/json;charset=UTF-8], Transfer-Encoding:[chunked], Date:[Fri, 15 Feb 2019 23:57:15 GMT]}
和邮递员中
{
"timestamp": "2019-02-15T23:57:15.202+0000",
"status": 403,
"error": "Forbidden",
"message": "Forbidden",
"path": "/api/users/signup"
}
我使用的代码如下。
WebSecurityConfig.java:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private UserDetailsService userDetailsService;
private BCryptPasswordEncoder bCryptPasswordEncoder;
public WebSecurityConfig(UserDetailsService userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder){
this.userDetailsService = userDetailsService;
this.bCryptPasswordEncoder = bCryptPasswordEncoder;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().csrf().disable().cors().disable().authorizeRequests()
.antMatchers(HttpMethod.POST, LOGIN_URL).permitAll()
.antMatchers(SIGN_UP_URL).hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()));
}
@Override
public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
}
AppUser.java:
@Entity
@Data
@Builder
@NoArgsConstructor
@AllArgsConstructor
public class AppUser implements UserDetails {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
Long id;
@NotEmpty
private String username;
@NotEmpty
private String password;
@NotBlank
private String firstName;
@NotBlank
private String lastName;
@Email
private String email;
@ElementCollection(fetch = FetchType.EAGER)
@Builder.Default
private List<String> roles = new ArrayList<>();
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return this.roles.stream().map(SimpleGrantedAuthority::new).collect(toList());
}
@Override
public String getPassword() {
return this.password;
}
@Override
public String getUsername() {
return this.username;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
AppUserController.java:
@RestController
@RequestMapping("/api/users")
public class AppUserController {
private AppUserRepository appUserRepository;
private BCryptPasswordEncoder bCryptPasswordEncoder;
public AppUserController(AppUserRepository appUserRepository, BCryptPasswordEncoder bCryptPasswordEncoder){
this.appUserRepository = appUserRepository;
this.bCryptPasswordEncoder = bCryptPasswordEncoder;
}
@PostMapping(value="/signup")
public void signUp(@RequestBody AppUser user) {
user.setPassword(bCryptPasswordEncoder.encode(user.getPassword()));
appUserRepository.save(user);
}
}
CustomUserDetailsService.java:
@Service
public class CustomUserDetailsService implements UserDetailsService {
private AppUserRepository appUserRepository;
public CustomUserDetailsService(AppUserRepository appUserRepository){
this.appUserRepository = appUserRepository;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
AppUser appUser = appUserRepository.findByUsername(username);
if (appUser == null){
throw new UsernameNotFoundException("Username: " + username + " not found");
}
return new User(appUser.getUsername(), appUser.getPassword(), appUser.getAuthorities());
}
}
JWTAuthenticationFilter.java:
public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
private AuthenticationManager authenticationManager;
public JWTAuthenticationFilter(AuthenticationManager authenticationManager){
this.authenticationManager = authenticationManager;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res) throws AuthenticationException {
try {
AppUser creds = new ObjectMapper().readValue(req.getInputStream(), AppUser.class);
return authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(
creds.getUsername(),
creds.getPassword(),
new ArrayList<>()
));
} catch (IOException e) {
throw new RuntimeException(e);
}
}
@Override
protected void successfulAuthentication(HttpServletRequest req,
HttpServletResponse res,
FilterChain chain, Authentication auth)
throws
IOException,
ServletException {
byte[] keyBytes = Decoders.BASE64.decode(BASE64ENCODEDSECRETKEY);
Key key = Keys.hmacShaKeyFor(keyBytes);
String token = Jwts.builder()
.setSubject( ((User) auth.getPrincipal()).getUsername() )
.setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
.signWith(key, SignatureAlgorithm.HS512)
.compact();
res.addHeader(HEADER_STRING, TOKEN_PREFIX + token);
}
}
JWTAuthorizationFilter.java:
public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
public JWTAuthorizationFilter(AuthenticationManager authManager){
super(authManager);
}
@Override
protected void doFilterInternal(
HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse,
FilterChain filterChain
)
throws IOException, ServletException
{
String header = httpServletRequest.getHeader(HEADER_STRING);
if (header == null || !header.startsWith(TOKEN_PREFIX)) {
filterChain.doFilter(httpServletRequest, httpServletResponse);
return;
}
UsernamePasswordAuthenticationToken authentication = getAuthentication(httpServletRequest);
SecurityContextHolder.getContext().setAuthentication(authentication);
filterChain.doFilter(httpServletRequest, httpServletResponse);
}
private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest httpServletRequest){
String token = httpServletRequest.getHeader(HEADER_STRING);
if (token != null){
String user = Jwts.parser()
.setSigningKey(BASE64ENCODEDSECRETKEY)
.parseClaimsJws(token.replace(TOKEN_PREFIX, ""))
.getBody()
.getSubject();
if (user != null){
return new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>());
}
return null;
}
return null;
}
}
允许基于授权访问端点的正确方法是什么,以及如何更正我的代码?
我也希望能获得有关Spring Security学习的良好资源(书,课程,链接)的提示。
谢谢, 萨沙
答案 0 :(得分:0)
我通过在JWT中放置角色解决了这个问题。