Question

我正在使用 Spring Boot Framework 实现 REST API 。我有一项公共服务/auth/login

@PostMapping("/auth/login")
fun login(@RequestBody loginRequest: LoginRequest): String {
    val token = tokenProvider.generateToken(loginRequest.username, loginRequest.password)
    if (token === null) {
        throw NotLoggedInError()
    }   
    return token
}

它可用于检索安全区域/api/schemas的令牌：

@GetMapping
fun getSchemas() : ArrayList<Schema> = _schemas

我已经从自定义configure(http: HttpSecurity?)对象的WebSecurityConfigurerAdapter方法中配置了我的安全策略：

override fun configure(http: HttpSecurity?) {
    http!!
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
            .exceptionHandling()
                .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS)
                .and()
            .authenticationProvider(tokenAuth)
                .addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter::class.java)
                .authorizeRequests()
                .requestMatchers(PROTECTED_URLS).authenticated()
                .and()
            .csrf().disable()
            .formLogin().disable()
            .httpBasic().disable()
            .logout().disable()
}

即使在访问公共区域的情况下，似乎总是调用过滤器的attemptAuthentication方法。

@FieldDefaults(level = AccessLevel.PRIVATE, makeFinal = true)
class TokenAuthenticationFilter(requiresAuth: RequestMatcher) : AbstractAuthenticationProcessingFilter(requiresAuth) {

    @Autowired
    lateinit var tokenAuthenticationProvider: TokenAuthenticationProvider

    private val BEARER = "Bearer"

    override fun attemptAuthentication(request: HttpServletRequest?, response: HttpServletResponse?): Authentication {
        val param: String? = request!!.getHeader("Authorization")
        val token = removeStart(param!!, BEARER).trim()
        val user = tokenAuthenticationProvider.getUserFromToken(token)
        val auth = UsernamePasswordAuthenticationToken(user!!.username, user.password)
        return authenticationManager.authenticate(auth)
    }

    override fun successfulAuthentication(request: HttpServletRequest?, response: HttpServletResponse?, chain: FilterChain?, authResult: Authentication?) {
        super.successfulAuthentication(request, response, chain, authResult)
        chain!!.doFilter(request, response)
    }

    override fun unsuccessfulAuthentication(request: HttpServletRequest?, response: HttpServletResponse?, failed: AuthenticationException?) {
        throw NotLoggedInError()
    }
}

有什么主意吗？预先感谢您的帮助。

致谢。

Answer 1

从技术上讲，Spring Security总是对用户进行身份验证。在不需要身份验证（例如公共端点）的情况下，该用户仍然被认证为匿名。

在您的WebSecurityConfigurerAdapter#configure(HttpSecurity)中，您将restAuthenticationFilter()放在之前 AnonymousAuthenticationFilter::class.java。这意味着Spring Security要以匿名身份认证用户，首先需要调用过滤器，然后才能调用AnonymousAuthenticationFilter。

为什么总是调用Spring过滤器？

1 个答案: