在Spring Boot应用程序中实现注销Rest API

Question

我的春季启动应用程序具有以下Web安全配置。

@EnableWebSecurity
@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired 
    private AccountRepository accountRepository;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .authorizeRequests()
                .antMatchers("/login").permitAll()
            .and()
            .authorizeRequests()
                .antMatchers("/signup").permitAll()
            .and()
            .authorizeRequests()
                .anyRequest().authenticated()
            .and()
                .logout().logoutUrl("/logout").invalidateHttpSession(true)
            .and()
            // We filter the api/signup requests
            .addFilterBefore(
                new JWTSignupFilter("/signup", authenticationManager(), accountRepository),
                UsernamePasswordAuthenticationFilter.class)
            // We filter the api/login requests
            .addFilterBefore(
                new JWTLoginFilter("/login", authenticationManager()),
                UsernamePasswordAuthenticationFilter.class)
            // And filter other requests to check the presence of JWT in
            // header
            .addFilterBefore(new JWTAuthenticationFilter(userDetailsServiceBean()),
                UsernamePasswordAuthenticationFilter.class);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.userDetailsService(userDetailsServiceBean());
    }

    @Override
    public UserDetailsService userDetailsServiceBean() throws Exception {
        return new CustomUserDetailsService(accountRepository);
    }
}

当客户端向/logout端点发出POST请求时，服务器将引发异常：

com.fasterxml.jackson.databind.JsonMappingException: No content to map due to end-of-input
 at [Source: org.apache.catalina.connector.CoyoteInputStream@3f636b5b; line: 1, column: 0]
    at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270) ~[jackson-databind-2.8.7.jar:2.8.7]
    at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3838) ~[jackson-databind-2.8.7.jar:2.8.7]
    at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3783) ~[jackson-databind-2.8.7.jar:2.8.7]
    at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2908) ~[jackson-databind-2.8.7.jar:2.8.7]
    at com.boot.myapp.config.security.JWTLoginFilter.attemptAuthentication(JWTLoginFilter.java:32) ~[classes/:na]

如您所见，它尝试在JWTLoginFilter运行用于登录的方法，但是为什么呢？

编辑1

JWTLoginFilter.java代码：

public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter {


    public JWTLoginFilter(String url, AuthenticationManager authManager) {
        super(new AntPathRequestMatcher(url));
        setAuthenticationManager(authManager);
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest req,
            HttpServletResponse res) throws AuthenticationException,
            IOException, ServletException {

        CustomUserDetails creds = new ObjectMapper().readValue(
                req.getInputStream(), CustomUserDetails.class);

        return getAuthenticationManager().authenticate(
                new UsernamePasswordAuthenticationToken(creds.getUsername(),
                        creds.getPassword()));
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest req,
            HttpServletResponse res, FilterChain chain, Authentication auth) {
        TokenAuthenticationService.addAuthentication(res, auth.getName());
    }
}

Answer 1

显然，Spring安全性会自动将注销重定向到login?logout ，从而激活登录过滤器。 我们可以将登录过滤器构造函数更改为以下内容：

public JWTLoginFilter(String url, AuthenticationManager authManager) { super(new AntPathRequestMatcher(url, "POST")); setAuthenticationManager(authManager); }