JWT Spring Security認證過濾器根據這篇文章losts我使用Spring Security的基礎上做出REST安全與JWT報頭信息

Question

- https://www.toptal.com/java/rest-security-with-jwt-spring-security-and-java

特別是，我有過濾器，從「授權」頭使用身份驗證令牌用戶要求：

public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFilter { 

public JwtAuthenticationFilter() { 
    super("/**"); 
} 

@Override 
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) { 
    return true; 
} 

@Override 
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { 

    String header = request.getHeader("Authorization"); 

    if (header == null || !header.startsWith("Bearer ")) { 
     throw new JwtTokenMissingException("No JWT token found in request headers"); 
    } 

    String authToken = header.substring(7); 

    JwtAuthenticationToken authRequest = new JwtAuthenticationToken(authToken); 

    return getAuthenticationManager().authenticate(authRequest); 
} 

@Override 
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) 
     throws IOException, ServletException { 
    super.successfulAuthentication(request, response, chain, authResult); 

    // As this authentication is in HTTP header, after success we need to continue the request normally 
    // and return the response as if the resource was not secured at all 
    chain.doFilter(request, response); 
} 
} 

因此，處理的請求我的過濾器時，每次都沒有找到授權和HttpServletRequest的任何其他標題的信息對象和應用程序，讓回答用戶沒有通過驗證。 當我停用JWT安全篩選器時，同一個請求中包含所有標題。

有沒有人有任何想法如何解決這個問題？

我的配置文件是：

?xml version="1.0" encoding="UTF-8"?> 
<beans:beans 
    xmlns="http://www.springframework.org/schema/security" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xsi:schemaLocation=" 
     http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-4.2.xsd 
    http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-4.2.xsd"> 

<!--activate @PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize annotations on any spring beans in the context--> 
<global-method-security pre-post-annotations="enabled" /> 

<!--define the login and signup endpoints to skip security--> 
<http pattern="/authenticate" security="none"/> 

<!--we define the filter chain applied to all requests while adding two important configs: Entry point reference and --> 
<!--setting the session creation to stateless (we do not want the session created for security purposes as --> 
<!--we are using tokens for each request)--> 
<http pattern="/**" entry-point-ref="restAuthenticationEntryPoint" create-session="stateless"> 
    <!--We do not need csrf protection because our tokens are immune to it--> 
    <csrf disabled="true"/> 
    <!--we plug in our special authentication filter within the Spring’s predefined filter chain,--> 
    <!--just before the form login filter--> 
    <custom-filter before="FORM_LOGIN_FILTER" ref="jwtAuthenticationFilter"/> 
</http> 

<!--This bean is the declaration of our authentification filter; since it is extending Spring’s --> 
<!--AbstractAuthenticationProcessingFilter, we need to declare it in XML to wire its properties --> 
<!--(auto wire does not work here)--> 
<beans:bean id="jwtAuthenticationFilter" class="by.eventcat.rest.security.JwtAuthenticationFilter"> 
    <beans:property name="authenticationManager" ref="authenticationManager" /> 
    <!--The default success handler of AbstractAuthenticationProcessingFilter is not good enough for REST purposes --> 
    <!--because it redirects the user to a success page; that is why we set our own here--> 
    <beans:property name="authenticationSuccessHandler" ref="jwtAuthenticationSuccessHandler" /> 
</beans:bean> 

<authentication-manager alias="authenticationManager"> 
    <!--The declaration of the provider created by the authenticationManager is used by our filter to authenticate users--> 
    <authentication-provider ref="jwtAuthenticationProvider" /> 
</authentication-manager> 

<beans:bean id="restAuthenticationEntryPoint" class="by.eventcat.rest.security.RestAuthenticationEntryPoint"/> 
<beans:bean id="jwtAuthenticationProvider" class="by.eventcat.rest.security.JwtAuthenticationProvider"/> 
<beans:bean id="jwtUtil" class="by.eventcat.rest.security.JwtUtil"/> 

Answer 1

我已經添加到我的應用程序CORS配置，這種影響不僅對性反應的，但是，REQUEST。所以，我的web.xml我說：

<!--CORS configuration--> 
<filter> 
    <filter-name>corsFilter</filter-name> 
    <filter-class>by.eventcat.rest.MyCorsFilter</filter-class> 
</filter> 
<filter-mapping> 
    <filter-name>corsFilter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

而且MyCorsFilter是：

public class MyCorsFilter extends CorsFilter { 

public MyCorsFilter() { 
    super(configurationSource()); 
} 

private static UrlBasedCorsConfigurationSource configurationSource() { 
    CorsConfiguration config = new CorsConfiguration(); 
    config.addAllowedOrigin("*"); 
    config.addAllowedMethod("*"); 
    config.addAllowedHeader("*"); 
    config.setAllowCredentials(true); 
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); 
    source.registerCorsConfiguration("/**", config); 
    return source; 
} 

}