为什么AuthenticationFilter完成后,RestController不接听请求

时间:2019-04-10 23:33:26

标签: java spring spring-security

我的Spring Security可以正常工作。一切都正常。我不明白的是为什么RestController永远不会在过滤器授权请求之后触发。

换句话说,我设置了一个rest控制器来接受来自/ foo / bar的POST请求,并且我设置了AuthenticationFilter来首先验证用户的凭据,然后再执行用户的请求。

鉴于我的RestController永不触发,我不得不在成功处理程序中实现我的代码,但我的代码却属于Controller。

我试图通过逐步检查Spring Security代码来调试它,但是似乎没有任何迹象表明它会跳过我的RestController。

@RestController
@RequestMapping("foo")
public class FooController {

  @PostMapping("bar") // this never executes
  public ResponseEntity<FooResponse> foobar(@RequestBody Credentials creds) {
    return new ResponseEntity<>(new FooResponse("baz"), HttpStatus.OK);
  }
}

@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Bean
  public BCryptPasswordEncoder passwordEncoder(){
    return new BCryptPasswordEncoder();
  }

  @Bean
  @Override
  public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
  }

  @Bean
  public AuthenticationFilter authenticationTokenFilter() throws Exception {

    AuthenticationFilter filter = new AuthenticationFilter();
    filter.setAuthenticationManager(authenticationManager());
    filter.setAuthenticationSuccessHandler(new AuthenticationSuccessHandlerImpl());
    return filter;
  }

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
      auth.userDetailsService(accountService)
          .passwordEncoder(passwordEncoder());
  }    

  @Override
  protected void configure(HttpSecurity http) throws Exception {

    http
      .cors()
      .and()
      .csrf().disable()
      .authorizeRequests()
      .antMatchers(HttpMethod.POST, "/foo/bar").permitAll()
      .and()
      .addFilter(new AuthorizationFilter(properties, authenticationManager(), tokenService)
      .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);              
    }

}

public class AuthenticationFilter extends AbstractAuthenticationProcessingFilter {  

  public AuthenticationFilter() {
    super("/foo/bar"); 
  }

  @Override
  public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) {
    Credentials creds = new ObjectMapper().readValue(request.getInputStream(), Credentials.class);
    return getAuthenticationManager().authenticate(
                    new UsernamePasswordAuthenticationToken(
                          creds.getUsername(),
                          creds.getPassword(),
                          new ArrayList<>())
                    );      
  }
}

public class AuthenticationSuccessHandlerImpl implements AuthenticationSuccessHandler {
  @Override
  public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
    Authentication authentication) throws IOException, ServletException {
    // do nothing and prevent redirect to /login, /logout, etc
  }
}

1 个答案:

答案 0 :(得分:0)

您正在使用http.cors()。您在其他地方配置了它吗?如果不是,则可能认为您未通过身份验证。检查此链接:https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/cors.html

如果您不打算使用它,建议您将其删除

这里还提供了一个简单的安全配置示例:https://www.baeldung.com/spring-security-login

从我的角度来看,删除cors()应该可以解决您的问题(或以正确的方式配置它:)

相关问题
最新问题