由于某种原因,即使禁用了csrf,/auth/api/login
REST-API仍会抛出403禁止错误(访问被拒绝)。
@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.cors().and()
.csrf().disable()
.authorizeRequests()
.antMatchers("/api/auth/**")
.permitAll()
.anyRequest()
.authenticated();
httpSecurity.addFilterBefore(jwtAuthenticationFilter,
UsernamePasswordAuthenticationFilter.class);
}
这是在SecurityConfig
类上,扩展了WebSecurityConfigurerAdapter
。
下面是AuthController
。
@RestController
@RequestMapping("/api/auth")
@AllArgsConstructor
public class AuthController {
private final AuthService authService;
private final RefreshTokenService refreshTokenService;
@PostMapping("/signup")
public ResponseEntity<String> signup (@RequestBody RegisterRequest registerRequest) {
authService.signup(registerRequest);
return new ResponseEntity<>("User Registration Successful", HttpStatus.OK);
}
@PostMapping("/login")
public AuthenticationResponse login(@RequestBody LoginRequest loginRequest) {
return authService.login(loginRequest);
}
@GetMapping("accountVerification/{token}")
public ResponseEntity<String> verifyAccount(@PathVariable String token) {
authService.verifyAccount(token);
return new ResponseEntity<>("Account Activated Successfully", OK);
}
当我尝试请求http://localhost:8080/api/auth/signup
时,它工作正常,但http://localhost:8080/api/auth/login
仍然返回403禁止的错误。
要清楚,下面是JwtAuthenticationFilter
类。
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
String jwt = getJwtFromRequest(request);
if (StringUtils.hasText(jwt) && jwtProvider.validateToken(jwt)){
String username = jwtProvider.getUsernameFromJwt(jwt);
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails,
null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
filterChain.doFilter(request, response);
}
private String getJwtFromRequest(HttpServletRequest request){
String bearerToken = request.getHeader("Authorization");
if(StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")){
return bearerToken.substring(7);
}
return bearerToken;
}
有人可以指出错误,还是我需要做更多的配置?
答案 0 :(得分:0)
修复:从HttpSecurity配置中删除cors()。
在学习本教程时,我遇到了同样的问题。坦率地说,即使我是新来的春季靴子。正在尝试不同的方法来解决此问题,而这对我来说是很重要的。我不确定为什么这可以解决问题。需要深入研究这一点。但我希望这可以帮助您在本教程中继续前进。
答案 1 :(得分:0)
我遇到了同样的问题,但就我而言,我在 LoginRequest 类中拼错了我的属性
public class LoginRequest{
private String username;
private String passsword; // i put 3's'
}
这是我从邮递员那里收到的请求正文
{
"username":"name"
"password":"123" // i put 2 's'
}
我对此也很陌生..但了解回复实际上会对您有很大帮助, 我希望它可以帮助面临同样问题的其他人..