Spring + SpringSecurity-未调用AuthenticationEntryPoint

时间:2019-12-11 12:33:14

标签: spring-boot spring-security

我正在使用SpringBoot 2.0.2。我正在尝试使用Spring Security实现JWT验证。为了处理无效令牌,我抛出了运行时异常。我添加了用于异常处理的自定义authenticationEntryPoint。对于有效令牌,它运行良好。

当我将其作为SpringBoot运行时,它正在工作(并且得到401响应)。但是当我部署它    作为Tomcat中的WAR(我知道这是错误的),它没有被调用。

如果发生WAR,它将尝试将请求转发到/ error页面并查找其处理程序方法(请参见底部的日志)。

最后,我得到以下答复:

{
    "timestamp": 1576064959206,
    "status": 500,
    "error": "Internal Server Error",
    "message": "Expired or invalid JWT token",
    "path": "/paymentapi-2.0.2.RELEASE/config/credit"
}

要获得401,我应该怎么做?

我有以下配置:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
private JwtTokenProvider jwtTokenProvider;

@Autowired
private CustomAuthenticationEntryPoint customAuthenticationEntryPoint;

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            .csrf().disable()
            .httpBasic().disable()
            .cors().disable()
            .headers().frameOptions().disable()
            .and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
            .antMatchers("/ping").permitAll()
            .antMatchers("/mock/**").permitAll()
            .antMatchers("/customers/**").permitAll()
            .antMatchers("/buyers/**").permitAll()
            .antMatchers("/user/**").hasIpAddress("127.0.0.1")
            .antMatchers("/helper/**").permitAll()
            .antMatchers("/v2/orders/**").permitAll()
            .antMatchers("/transactions/**").permitAll()
            .antMatchers("/paymentCollection/**").permitAll()
            .antMatchers("/paymentRequest").permitAll()
            .antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources", "/configuration/security",
                    "/swagger-ui.html", "/webjars/**", "/swagger-resources/configuration/ui", "/swagger-ui.html",
                    "/swagger-resources/configuration/security").permitAll()
            .anyRequest().authenticated()
            .and()
            .apply(new JwtConfigurer(jwtTokenProvider))
            .and().exceptionHandling().authenticationEntryPoint(paymentEngineAuthenticationEntryPoint);

}
}

以下是我的自定义身份验证入口点:

@Component
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {

    @Autowired
    private ObjectMapper objectMapper;

    @Override
    public void commence(final HttpServletRequest request, final HttpServletResponse response,
            final AuthenticationException authException) throws IOException {
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        //response.addHeader("WWW-Authenticate", "Bearer");

        response.setContentType("application/json;charset=UTF-8");
        ResponseData responseData = new ResponseData();
        responseData.setMessage(authException.getMessage());
        responseData.setStatusCode(401);
        responseData.setSuccess(false);
        response.getWriter().write(objectMapper.writeValueAsString(responseData));
        response.flushBuffer();
    }

}

 2019-12-11 16:20:16,178 [DEBUG] [http-nio-8082-exec-7] [o.s.security.web.FilterChainProxy ] /config/credit at position 5 of 11 in additional filter chain; firing Filter: 'JwtTokenAuthenticationFilter' 
        2019-12-11 16:20:16,179 [DEBUG] [http-nio-8082-exec-7] [o.s.s.w.header.writers.HstsHeaderWriter ] Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@229d8736 
        2019-12-11 16:20:16,179 [DEBUG] [http-nio-8082-exec-7] [s.s.w.c.SecurityContextPersistenceFilter] SecurityContextHolder now cleared, as request processing completed 
2019-12-11 16:20:16,179 [DEBUG] [http-nio-8082-exec-7] [o.s.b.w.s.f.OrderedRequestContextFilter ] Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@14816abd 
        2019-12-11 16:20:16,180 [ERROR] [http-nio-8082-exec-7] [o.s.b.w.servlet.support.ErrorPageFilter ] Forwarding to error page from request [/config/credit] due to exception [Expired or invalid JWT token] com.ril.vms.deadpool.exceptions.InvalidJwtAuthenticationException: Expired or invalid JWT token at com.ril.vms.deadpool.securitycore.JwtTokenProvider.validateToken(JwtTokenProvider.java:74) at com.ril.vms.deadpool.securitycore.JwtTokenAuthenticationFilter.doFilterInternal(JwtTokenAuthenticationFilter.java:31) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        ...
        2019-12-11 17:19:15,628 [DEBUG] [http-nio-8082-exec-7] [o.s.web.servlet.DispatcherServlet       ] DispatcherServlet with name 'dispatcherServlet' processing GET request for [/paymentapi-2.0.2.RELEASE/error]
        2019-12-11 17:19:17,556 [DEBUG] [http-nio-8082-exec-7] [s.b.a.e.w.s.WebMvcEndpointHandlerMapping] Looking up handler method for path /error
        2019-12-11 17:19:17,557 [DEBUG] [http-nio-8082-exec-7] [s.b.a.e.w.s.WebMvcEndpointHandlerMapping] Did not find handler method for [/error]
        2019-12-11 17:19:17,557 [DEBUG] [http-nio-8082-exec-7] [a.e.w.s.ControllerEndpointHandlerMapping] Looking up handler method for path /error
        2019-12-11 17:19:17,557 [DEBUG] [http-nio-8082-exec-7] [a.e.w.s.ControllerEndpointHandlerMapping] Did not find handler method for [/error]
        2019-12-11 17:19:17,557 [DEBUG] [http-nio-8082-exec-7] [s.w.s.m.m.a.RequestMappingHandlerMapping] Looking up handler method for path /error
        2019-12-11 17:19:17,558 [DEBUG] [http-nio-8082-exec-7] [s.w.s.m.m.a.RequestMappingHandlerMapping] Returning handler method [public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController.error(javax.servlet.http.HttpServletRequest)]
        2019-12-11 17:19:17,558 [DEBUG] [http-nio-8082-exec-7] [o.s.b.f.s.DefaultListableBeanFactory    ] Returning cached instance of singleton bean 'basicErrorController'

1 个答案:

答案 0 :(得分:0)

这是我解决此问题的方法:

  1. 在SpringBootServletInitializer中,我禁用了ErrorPageFilter

    @SpringBootApplication(exclude = {SecurityAutoConfiguration.class})
    public class MyApplication extends SpringBootServletInitializer {
    
    public static void main(String[] args) {
        SpringApplication.run(MyApplication.class, args);
    }
    
    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(MyApplication.class);
    }
    
    public PaymentapiApplication() {
        super();
        setRegisterErrorPageFilter(false);
    }} 
    
  2. 我写了一个自定义过滤器来捕获特定的RunTimeException

    @Component
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public class ExceptionHandlerFilter extends OncePerRequestFilter {
    
    @Autowired
    private ObjectMapper objectMapper;
    
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse 
    response, FilterChain filterChain)
            throws ServletException, IOException {
    
        try {
            filterChain.doFilter(request, response);
        } catch (RuntimeException e) {
            // custom error response class used across my project
            if(e instanceof InvalidJwtAuthenticationException) {
                ResponseData responseData = new ResponseData(false, e.getMessage(), 401, 
    null);
                response.setStatus(HttpStatus.UNAUTHORIZED.value());
                response.getWriter().write(objectMapper.writeValueAsString(responseData));
            }
        }
    
    }}
    

这样,我得到401响应。