春季:通过Angular应用程序,授权标头始终为空

时间:2020-10-14 15:18:37

标签: angular spring jwt-auth

我正在使用 Spring Angular 构建应用程序,现在,我正在尝试使用 Spring security and(JWT)来实现安全阶段。
问题是,当我从 Angular 发送 Authorization标头时,Spring没有收到它!
甚至,我确定它已经在请求中(来自chrome dev工具)。
另外,当我从 ARC(Chrome中的高级REST客户端)发送具有相同标头的相同请求时,spring会收到该请求并返回数据!
然后在Angular端,我当然使用HttpInterceptor将令牌添加到请求中,如下所示:

export class HttpInterceptorService implements HttpInterceptor{
  private _api = `${environment.api}/api`;
  constructor(
    private _authService: AuthenticationService
  ) { }

  intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>>{

    if(req.url.startsWith(this._api)){
      req = req.clone({
        setHeaders: {
          Authorization: `Bearer ${this._authService.getToken()}`
        }
      });
    }
    
    return next.handle(req);
  }
}

enter image description here

这就是我在春天里面做的事

@Component
public class JwtRequestFilter extends OncePerRequestFilter {

    @Autowired
    private JwtUserDetailsService jwtUserDetailsService;

    @Autowired
    private JwtTokenUtil jwtTokenUtil;

    private List<String> excludedURLsPattern = Arrays.asList(new String[]{"/authenticate"});

    @Override
    protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {

        return excludedURLsPattern
                .stream()
                .anyMatch(urlPattern -> request.getRequestURL().toString().contains(urlPattern));

    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException {

        System.out.println("=== request URL: "+request.getRequestURL());
        final String requestTokenHeader = request.getHeader("Authorization");
        System.out.println("=== requestTokenHeader: "+requestTokenHeader);// in this line I always get null (when using Angular not ARC) !!

        String username = null;
        String jwtToken = null;
        // JWT Token is in the form "Bearer token". Remove Bearer word and get
        // only the Token
        if (requestTokenHeader != null && requestTokenHeader.startsWith("Bearer ")) {
            jwtToken = requestTokenHeader.substring(7);
            try {
                username = jwtTokenUtil.getUsernameFromToken(jwtToken);
            } catch (IllegalArgumentException e) {
                System.out.println("Unable to get JWT Token");
            } catch (ExpiredJwtException e) {
                System.out.println("JWT Token has expired");
            }
        } else {
            logger.warn("JWT Token does not begin with Bearer String");
        }

        // Once we get the token validate it.
        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {

            UserDetails userDetails = this.jwtUserDetailsService.loadUserByUsername(username);

            // if token is valid configure Spring Security to manually set
            // authentication
            if (jwtTokenUtil.validateToken(jwtToken, userDetails)) {

                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
                        userDetails, null, userDetails.getAuthorities());
                usernamePasswordAuthenticationToken
                        .setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                // After setting the Authentication in the context, we specify
                // that the current user is authenticated. So it passes the
                // Spring Security Configurations successfully.
                SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
            }
        }
        chain.doFilter(request, response);
    }

}

这是我收到的消息:

2020-10-14 15:11:17.664  WARN 9856 --- [nio-5000-exec-1] c.s.c.security.config.JwtRequestFilter   : JWT Token does not begin with Bearer String

1 个答案:

答案 0 :(得分:0)

好吧,如果有人需要的话,我会把解决方案留在这里。
this blog中所述,并且由于我正在使用 Sring Security ,因此必须在Spring安全级别启用 CORS 

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and()...// this one right here
    }
}
相关问题
最新问题