[英]Authentication based on custom token
我正在尝试根据请求标头中的自定义令牌放置身份验证。
我已阅读了该问题的可接受答案,并创建了自定义令牌,过滤器和身份验证提供程序。
问题 :
当我尝试“获取/登录”时:
supports
也不被调用! 在浏览器控制台中,我可以看到对/login
2个HTTP 302
调用。
任何想法?
编辑 :实际上,仅当我从angular调用端点(导致AJAX / XHR调用)时,身份验证提供程序才被忽略。 如果我从Postman呼叫端点,则会调用身份验证提供程序。
编辑 :春季安全调试日志:
2016-10-27 19:57:46.724 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@43bffae5
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/logout'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login at position 5 of 10 in additional filter chain; firing Filter: 'MyFilter'
2016-10-27 19:57:46.726 DEBUG 9752 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2016-10-27 19:57:46.726 DEBUG 9752 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2016-10-27 19:57:46.768 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /login at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-10-27 19:57:46.769 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /login at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-10-27 19:57:46.769 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-10-27 19:57:46.770 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-10-27 19:57:46.770 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /login at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@43bffae5
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /login at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/logout'
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /login at position 5 of 10 in additional filter chain; firing Filter: 'MyFilter'
2016-10-27 19:57:46.772 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : HttpSession being created as SecurityContext is non-default
2016-10-27 19:57:46.774 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@17085d: Authentication: com.mycompany.myapp.configuration.MyToken@17085d: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities'
2016-10-27 19:57:46.774 DEBUG 9752 --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
代币:
public class MyToken extends AbstractAuthenticationToken {
private String token;
public MyToken(String token) {
super(null);
this.token = token;
}
@Override
public Object getCredentials() {
return token;
}
@Override
public Object getPrincipal() {
return null;
}
}
筛选器:
public class MyFilter extends AbstractAuthenticationProcessingFilter {
public MyFilter() {
super("/login");
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
String x_token = request.getHeader("x_token");
String method = request.getMethod();
if(x_token != null && method.equals("GET")) {
return new MyToken(x_token);
}
return null;
}
}
身份验证提供者:
@Component
public class MyAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
MyToken token = (MyToken) authentication;
if(token.getCredentials() != null) {
token.setAuthenticated(true);
return token;
}
return null;
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(MyToken.class);
}
}
最后, 安全性配置 :
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private MyAuthenticationProvider myAuthenticationProvider;
@Override
protected void configure( HttpSecurity http ) throws Exception {
// configure filters
http.addFilterBefore( new MyFilter(), UsernamePasswordAuthenticationFilter.class );
// configure authentication providers
http.authenticationProvider(myAuthenticationProvider);
// disable csrf
http.csrf().disable();
// setup security
http.authorizeRequests()
.anyRequest()
.fullyAuthenticated()
.and().httpBasic();
}
}
您必须在AbstractAuthenticationProcessingFilter
的自定义子类中调用AuthenticationManager
,请参阅Spring Security Reference :
筛选器调用配置的
AuthenticationManager
来处理每个身份验证请求。
另请参见AbstractAuthenticationProcessingFilter#attemptAuthentication :
执行实际身份验证。 该实现应执行以下操作之一:
- 返回已验证用户的已填充验证令牌,指示验证成功
- 返回null,表示身份验证过程仍在进行中。 在返回之前,实现应执行完成该过程所需的任何其他工作。
- 如果身份验证过程失败,则抛出
AuthenticationException
您的实现未返回经过身份验证的令牌,请参阅日志:
将SecurityContext存储到HttpSession:'org.springframework.security.core.context.SecurityContextImpl@17085d:身份验证:com.mycompany.myapp.configuration.MyToken@17085d:主体:null; 凭证:[受保护]; 已验证:false ; 详细信息:null; 没有被授予任何权限
也可以看看:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.