0
- https://www.toptal.com/java/rest-security-with-jwt-spring-security-and-javaJWT Spring Security認證過濾器根據這篇文章losts我使用Spring Security的基礎上做出REST安全與JWT報頭信息
特別是,我有過濾器,從「授權」頭使用身份驗證令牌用戶要求:
public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
public JwtAuthenticationFilter() {
super("/**");
}
@Override
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
return true;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
String header = request.getHeader("Authorization");
if (header == null || !header.startsWith("Bearer ")) {
throw new JwtTokenMissingException("No JWT token found in request headers");
}
String authToken = header.substring(7);
JwtAuthenticationToken authRequest = new JwtAuthenticationToken(authToken);
return getAuthenticationManager().authenticate(authRequest);
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult)
throws IOException, ServletException {
super.successfulAuthentication(request, response, chain, authResult);
// As this authentication is in HTTP header, after success we need to continue the request normally
// and return the response as if the resource was not secured at all
chain.doFilter(request, response);
}
}
因此,處理的請求我的過濾器時,每次都沒有找到授權和HttpServletRequest的任何其他標題的信息對象和應用程序,讓回答用戶沒有通過驗證。 當我停用JWT安全篩選器時,同一個請求中包含所有標題。
有沒有人有任何想法如何解決這個問題?
我的配置文件是:
?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd">
<!--activate @PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize annotations on any spring beans in the context-->
<global-method-security pre-post-annotations="enabled" />
<!--define the login and signup endpoints to skip security-->
<http pattern="/authenticate" security="none"/>
<!--we define the filter chain applied to all requests while adding two important configs: Entry point reference and -->
<!--setting the session creation to stateless (we do not want the session created for security purposes as -->
<!--we are using tokens for each request)-->
<http pattern="/**" entry-point-ref="restAuthenticationEntryPoint" create-session="stateless">
<!--We do not need csrf protection because our tokens are immune to it-->
<csrf disabled="true"/>
<!--we plug in our special authentication filter within the Spring’s predefined filter chain,-->
<!--just before the form login filter-->
<custom-filter before="FORM_LOGIN_FILTER" ref="jwtAuthenticationFilter"/>
</http>
<!--This bean is the declaration of our authentification filter; since it is extending Spring’s -->
<!--AbstractAuthenticationProcessingFilter, we need to declare it in XML to wire its properties -->
<!--(auto wire does not work here)-->
<beans:bean id="jwtAuthenticationFilter" class="by.eventcat.rest.security.JwtAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<!--The default success handler of AbstractAuthenticationProcessingFilter is not good enough for REST purposes -->
<!--because it redirects the user to a success page; that is why we set our own here-->
<beans:property name="authenticationSuccessHandler" ref="jwtAuthenticationSuccessHandler" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<!--The declaration of the provider created by the authenticationManager is used by our filter to authenticate users-->
<authentication-provider ref="jwtAuthenticationProvider" />
</authentication-manager>
<beans:bean id="restAuthenticationEntryPoint" class="by.eventcat.rest.security.RestAuthenticationEntryPoint"/>
<beans:bean id="jwtAuthenticationProvider" class="by.eventcat.rest.security.JwtAuthenticationProvider"/>
<beans:bean id="jwtUtil" class="by.eventcat.rest.security.JwtUtil"/>
我可以看一下您的安全配置? –
是的,我現在編輯我的問題 –