基于自定义令牌的身份验证

Question

我正在尝试根据请求标头中的自定义令牌放置身份验证。

我已阅读了该问题的可接受答案，并创建了自定义令牌，过滤器和身份验证提供程序。

问题 ：

当我尝试“获取/登录”时：

• 该过滤器称为
• 令牌已创建
• 没有调用authenticationProvider。 即使它的方法supports也不被调用！

在浏览器控制台中，我可以看到对/login 2个HTTP 302调用。

任何想法？

编辑 ：实际上，仅当我从angular调用端点（导致AJAX / XHR调用）时，身份验证提供程序才被忽略。 如果我从Postman呼叫端点，则会调用身份验证提供程序。

编辑 ：春季安全调试日志：

2016-10-27 19:57:46.724 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@43bffae5
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/logout'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login at position 5 of 10 in additional filter chain; firing Filter: 'MyFilter'
2016-10-27 19:57:46.726 DEBUG 9752 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2016-10-27 19:57:46.726 DEBUG 9752 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2016-10-27 19:57:46.768 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy        : /login at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-10-27 19:57:46.769 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy        : /login at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-10-27 19:57:46.769 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-10-27 19:57:46.770 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-10-27 19:57:46.770 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy        : /login at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@43bffae5
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy        : /login at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/logout'
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy        : /login at position 5 of 10 in additional filter chain; firing Filter: 'MyFilter'
2016-10-27 19:57:46.772 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : HttpSession being created as SecurityContext is non-default
2016-10-27 19:57:46.774 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@17085d: Authentication: com.mycompany.myapp.configuration.MyToken@17085d: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities'
2016-10-27 19:57:46.774 DEBUG 9752 --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

代币：

public class MyToken extends AbstractAuthenticationToken {

    private String token;

    public MyToken(String token) {
        super(null);
        this.token = token;
    }

    @Override
    public Object getCredentials() {
        return token;
    }

    @Override
    public Object getPrincipal() {
        return null;
    }
}

筛选器：

public class MyFilter extends AbstractAuthenticationProcessingFilter {

    public MyFilter() {
        super("/login");
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
        String x_token = request.getHeader("x_token");
        String method = request.getMethod();
        if(x_token != null && method.equals("GET")) {
            return new MyToken(x_token);
        }
        return null;
    }
}

身份验证提供者：

@Component
public class MyAuthenticationProvider implements AuthenticationProvider {
    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        MyToken token = (MyToken) authentication;
        if(token.getCredentials() != null) {
            token.setAuthenticated(true);
            return token;
        }
        return null;
    }

    @Override
    public boolean supports(Class<?> authentication) {
        return authentication.equals(MyToken.class);
    }
}

最后， 安全性配置 ：

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private MyAuthenticationProvider myAuthenticationProvider;

    @Override
    protected void configure( HttpSecurity http ) throws Exception {
        // configure filters
        http.addFilterBefore( new MyFilter(), UsernamePasswordAuthenticationFilter.class );

        // configure authentication providers
        http.authenticationProvider(myAuthenticationProvider);

        // disable csrf
        http.csrf().disable();

        // setup security
        http.authorizeRequests()
                .anyRequest()
                .fullyAuthenticated()
                .and().httpBasic();
    }
}

Answer 1

您必须在AbstractAuthenticationProcessingFilter的自定义子类中调用AuthenticationManager ，请参阅Spring Security Reference ：

筛选器调用配置的AuthenticationManager来处理每个身份验证请求。

另请参见AbstractAuthenticationProcessingFilter＃attemptAuthentication ：

执行实际身份验证。 该实现应执行以下操作之一：

1. 返回已验证用户的已填充验证令牌，指示验证成功
2. 返回null，表示身份验证过程仍在进行中。 在返回之前，实现应执行完成该过程所需的任何其他工作。
3. 如果身份验证过程失败，则抛出AuthenticationException

您的实现未返回经过身份验证的令牌，请参阅日志：

将SecurityContext存储到HttpSession：'org.springframework.security.core.context.SecurityContextImpl@17085d：身份验证：com.mycompany.myapp.configuration.MyToken@17085d：主体：null； 凭证：[受保护]； 已验证：false ； 详细信息：null; 没有被授予任何权限

也可以看看：

• GaeAuthenticationFilter
• UsernamePasswordAuthenticationFilter
• OpenIDAuthenticationFilter
• CasAuthenticationFilter