我已经为Spring security
个呼叫的API
准备了配置。它应该验证请求中提供的JWT
令牌。
http.csrf().disable().authorizeRequests()
.antMatchers("/v2/api/**/*").authenticated().and()
.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
和我的控制器方法
@PreAuthorize("hasAuthority('ROLE_USER')")
@PutMapping(value = "/v2/api/dashboard/projects")
public List<Projects> getProjects(Principal principal) {
return dashboardService.getProjects();
}
通过执行请求我得到
已解决 [org.springframework.web.HttpRequestMethodNotSupportedException: 请求方法'PUT'不支持]
当我将其更改为GetMapping
时,请求已得到正确处理。
从logging.level.org.springframework.web=DEBUG
进行设置日志后,我可以看到不是从PUT
返回而是从'/ forbidden'返回了不支持的/v2/api/dashboard/projects
,由于明显的原因,它不支持这种方法。< / p>
通过调试jwtRequestFilter
进行的进一步调查显示,过滤器甚至没有在PUT
,PATCH
或DELETE
方法上执行。
它的代码:
@Component
public class JwtRequestFilter extends OncePerRequestFilter {
private static final Logger log = LoggerFactory.getLogger(JwtRequestFilter.class);
@Autowired
private JwtUserDetailsService jwtUserDetailsService;
@Autowired
private JwtUtils jwtTokenUtil;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
String requestTokenHeader = "";
try{
requestTokenHeader = WebUtils.getCookie(request, "token").getValue();
} catch (NullPointerException ex ){}
String username = null;
String jwtToken = null;
if (requestTokenHeader != null && requestTokenHeader.contains(".")) {
jwtToken = requestTokenHeader;
try {
username = jwtTokenUtil.getUsernameFromToken(jwtToken);
} catch (IllegalArgumentException e) {
log.error("Unable to get JWT Token");
} catch (ExpiredJwtException e) {
log.error("JWT Token has expired");
}
} else {
logger.warn("JWT Token does not look like token");
}
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.jwtUserDetailsService.loadUserByUsername(username);
if (jwtTokenUtil.validateToken(jwtToken, userDetails)) {
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
userDetails, null, userDetails.getAuthorities());
usernamePasswordAuthenticationToken
.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
}
}
chain.doFilter(request, response);
}
}
谁能给我一个提示,使它起作用,以便使用给定的类过滤PUT
和PATCH
方法?