Spring安全性配置-addFilterBefore不适用于PUT,PATCH和DELETE

时间:2019-10-02 08:47:44

标签: java spring-boot spring-security

我已经为Spring security个呼叫的API准备了配置。它应该验证请求中提供的JWT令牌。

http.csrf().disable().authorizeRequests()
                    .antMatchers("/v2/api/**/*").authenticated().and()
                    .addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class)
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

和我的控制器方法

    @PreAuthorize("hasAuthority('ROLE_USER')")
    @PutMapping(value = "/v2/api/dashboard/projects")
    public List<Projects> getProjects(Principal principal) {
        return dashboardService.getProjects();
    }

通过执行请求我得到

  

已解决   [org.springframework.web.HttpRequestMethodNotSupportedException:   请求方法'PUT'不支持]

当我将其更改为GetMapping时,请求已得到正确处理。

logging.level.org.springframework.web=DEBUG进行设置日志后,我可以看到不是从PUT返回而是从'/ forbidden'返回了不支持的/v2/api/dashboard/projects,由于明显的原因,它不支持这种方法。< / p>

通过调试jwtRequestFilter进行的进一步调查显示,过滤器甚至没有在PUTPATCHDELETE方法上执行。

它的代码:

@Component
public class JwtRequestFilter extends OncePerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger(JwtRequestFilter.class);

    @Autowired
    private JwtUserDetailsService jwtUserDetailsService;
    @Autowired
    private JwtUtils jwtTokenUtil;
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException {
        String requestTokenHeader = "";
        try{
            requestTokenHeader = WebUtils.getCookie(request, "token").getValue();
        } catch (NullPointerException ex ){}
        String username = null;
        String jwtToken = null;
        if (requestTokenHeader != null && requestTokenHeader.contains(".")) {
            jwtToken = requestTokenHeader;
            try {
                username = jwtTokenUtil.getUsernameFromToken(jwtToken);
            } catch (IllegalArgumentException e) {
                log.error("Unable to get JWT Token");
            } catch (ExpiredJwtException e) {
                log.error("JWT Token has expired");
            }
        } else {
            logger.warn("JWT Token does not look like token");
        }
        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
            UserDetails userDetails = this.jwtUserDetailsService.loadUserByUsername(username);
            if (jwtTokenUtil.validateToken(jwtToken, userDetails)) {
                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
                        userDetails, null, userDetails.getAuthorities());
                usernamePasswordAuthenticationToken
                        .setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
            }
        }
        chain.doFilter(request, response);
    }
}

谁能给我一个提示,使它起作用,以便使用给定的类过滤PUTPATCH方法?

0 个答案:

没有答案
相关问题
最新问题