对于具有必需角色hasRole的用户,失败并显示403错误消息

时间:2019-02-16 00:36:03

标签: java spring-boot spring-security jwt spring-rest

我正在构建休息服务,身份验证是基于JWT的,并且可以工作,但是我无法获得授权限制。例如,对于具有角色ROLE_ADMIN的用户,hasRole(“ ADMIN”)失败。

我以this article为起点,但对其进行了调整,以便用户可以扮演角色。身份验证有效,我可以看到调试用户何时获得了权限,但是无论如何,对于需要角色的端点,我还是会出错,例如:

org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fdc35788: Principal: org.springframework.security.core.userdetails.User@682639e: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN, ROLE_USER
2019-02-15 23:57:15.177 TRACE 6135 --- [nio-8080-exec-3] o.s.web.servlet.DispatcherServlet        : "ERROR" dispatch for POST "/error", parameters={}, headers={content-type:[application/json], cache-control:[no-cache], postman-token:[779a05e3-e918-480d-8a9d-96c4a336fe0d], authorization:[Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJzYXNoYSIsImV4cCI6MTU1MTEzOTAxN30.eEEeW0I6KdHOFj7_S3G1RzRJ__q_IrmmpaYhZfz897dW4pAPHkMLIC9JTSgVziC7sXiYTgD1IfzXiOEZqsML-w], user-agent:[PostmanRuntime/7.6.0], accept:[*/*], host:[localhost:8080], accept-encoding:[gzip, deflate], content-length:[176], connection:[keep-alive]} in DispatcherServlet 'dispatcherServlet'
2019-02-15 23:57:15.186 TRACE 6135 --- [nio-8080-exec-3] s.w.s.m.m.a.RequestMappingHandlerMapping : 2 matching mappings: [{ /error}, { /error, produces [text/html]}]
2019-02-15 23:57:15.188 TRACE 6135 --- [nio-8080-exec-3] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController.error(javax.servlet.http.HttpServletRequest)
2019-02-15 23:57:15.201 TRACE 6135 --- [nio-8080-exec-3] .w.s.m.m.a.ServletInvocableHandlerMethod : Arguments: [SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@fc17d0]]]
2019-02-15 23:57:15.211 DEBUG 6135 --- [nio-8080-exec-3] o.s.w.s.m.m.a.HttpEntityMethodProcessor  : Using 'application/json', given [*/*] and supported [application/json, application/*+json, application/json, application/*+json]
2019-02-15 23:57:15.213 TRACE 6135 --- [nio-8080-exec-3] o.s.w.s.m.m.a.HttpEntityMethodProcessor  : Writing [{timestamp=Fri Feb 15 23:57:15 GMT 2019, status=403, error=Forbidden, message=Forbidden, path=/api/u (truncated)...]
2019-02-15 23:57:15.224 TRACE 6135 --- [nio-8080-exec-3] o.s.web.servlet.DispatcherServlet        : No view rendering, null ModelAndView returned.
2019-02-15 23:57:15.235 DEBUG 6135 --- [nio-8080-exec-3] o.s.web.servlet.DispatcherServlet        : Exiting from "ERROR" dispatch, status 403, headers={X-Content-Type-Options:[nosniff], X-XSS-Protection:[1; mode=block], Cache-Control:[no-cache, no-store, max-age=0, must-revalidate], Pragma:[no-cache], Expires:[0], X-Frame-Options:[DENY], Content-Type:[application/json;charset=UTF-8], Transfer-Encoding:[chunked], Date:[Fri, 15 Feb 2019 23:57:15 GMT]}

和邮递员中

{
    "timestamp": "2019-02-15T23:57:15.202+0000",
    "status": 403,
    "error": "Forbidden",
    "message": "Forbidden",
    "path": "/api/users/signup"
}

我使用的代码如下。

WebSecurityConfig.java:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    private UserDetailsService userDetailsService;
    private BCryptPasswordEncoder bCryptPasswordEncoder;

    public WebSecurityConfig(UserDetailsService userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder){
        this.userDetailsService = userDetailsService;
        this.bCryptPasswordEncoder = bCryptPasswordEncoder;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and().csrf().disable().cors().disable().authorizeRequests()
        .antMatchers(HttpMethod.POST, LOGIN_URL).permitAll()
        .antMatchers(SIGN_UP_URL).hasRole("ADMIN")
        .anyRequest().authenticated()
        .and()
        .addFilter(new JWTAuthenticationFilter(authenticationManager()))
        .addFilter(new JWTAuthorizationFilter(authenticationManager()));
    }

    @Override
    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
    }

}

AppUser.java:

@Entity
@Data
@Builder
@NoArgsConstructor
@AllArgsConstructor
public class AppUser implements UserDetails {
    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    Long id;

    @NotEmpty
    private String username;

    @NotEmpty
    private String password;

    @NotBlank
    private String firstName;

    @NotBlank
    private String lastName;

    @Email
    private String email;

    @ElementCollection(fetch = FetchType.EAGER)
    @Builder.Default
    private List<String> roles = new ArrayList<>();

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return this.roles.stream().map(SimpleGrantedAuthority::new).collect(toList());
    }

    @Override
    public String getPassword() {
        return this.password;
    }

    @Override
    public String getUsername() {
        return this.username;
    }

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return true;
    }
}

AppUserController.java:

@RestController
@RequestMapping("/api/users")
public class AppUserController {

        private AppUserRepository appUserRepository;
        private BCryptPasswordEncoder bCryptPasswordEncoder;

        public AppUserController(AppUserRepository appUserRepository, BCryptPasswordEncoder bCryptPasswordEncoder){
            this.appUserRepository = appUserRepository;
            this.bCryptPasswordEncoder = bCryptPasswordEncoder;
        }

        @PostMapping(value="/signup")
        public void signUp(@RequestBody AppUser user) {
            user.setPassword(bCryptPasswordEncoder.encode(user.getPassword()));
            appUserRepository.save(user);
        }


}

CustomUserDetailsS​​ervice.java:

@Service
public class CustomUserDetailsService implements UserDetailsService {
    private AppUserRepository appUserRepository;

    public CustomUserDetailsService(AppUserRepository appUserRepository){
        this.appUserRepository = appUserRepository;
    }

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        AppUser appUser = appUserRepository.findByUsername(username);
        if (appUser == null){
            throw new UsernameNotFoundException("Username: " + username + " not found");
        }
        return new User(appUser.getUsername(), appUser.getPassword(), appUser.getAuthorities());
    }

}

JWTAuthenticationFilter.java:

public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {

    private AuthenticationManager authenticationManager;

    public JWTAuthenticationFilter(AuthenticationManager authenticationManager){
        this.authenticationManager = authenticationManager;
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res) throws AuthenticationException {
        try {
            AppUser creds = new ObjectMapper().readValue(req.getInputStream(), AppUser.class);
            return authenticationManager.authenticate( 
                new UsernamePasswordAuthenticationToken(
                    creds.getUsername(),
                    creds.getPassword(),
                    new ArrayList<>()
                    ));
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest req, 
                                            HttpServletResponse res, 
                                            FilterChain chain, Authentication auth) 
                                            throws 
                                                IOException, 
                                                ServletException {
        byte[] keyBytes = Decoders.BASE64.decode(BASE64ENCODEDSECRETKEY);
        Key key = Keys.hmacShaKeyFor(keyBytes);
        String token = Jwts.builder()
                           .setSubject( ((User) auth.getPrincipal()).getUsername() )
                           .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
                           .signWith(key, SignatureAlgorithm.HS512)
                           .compact();
        res.addHeader(HEADER_STRING, TOKEN_PREFIX + token);
    }

}

JWTAuthorizationFilter.java:

public class JWTAuthorizationFilter extends BasicAuthenticationFilter {

    public JWTAuthorizationFilter(AuthenticationManager authManager){
        super(authManager);
    }

    @Override
    protected void doFilterInternal(
                                    HttpServletRequest httpServletRequest, 
                                    HttpServletResponse httpServletResponse, 
                                    FilterChain filterChain
                                    ) 
                                    throws IOException, ServletException 
    {
        String header = httpServletRequest.getHeader(HEADER_STRING);
        if (header == null || !header.startsWith(TOKEN_PREFIX)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        UsernamePasswordAuthenticationToken authentication = getAuthentication(httpServletRequest);

        SecurityContextHolder.getContext().setAuthentication(authentication);
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest httpServletRequest){
        String token = httpServletRequest.getHeader(HEADER_STRING);
        if (token != null){
            String user = Jwts.parser()
                              .setSigningKey(BASE64ENCODEDSECRETKEY)
                              .parseClaimsJws(token.replace(TOKEN_PREFIX, ""))
                              .getBody()
                              .getSubject();
            if (user != null){
                return new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>());
            }
            return null;
        }
        return null;
    }
}

允许基于授权访问端点的正确方法是什么,以及如何更正我的代码?

我也希望能获得有关Spring Security学习的良好资源(书,课程,链接)的提示。

谢谢, 萨沙

1 个答案:

答案 0 :(得分:0)

我通过在JWT中放置角色解决了这个问题。