[英]Spring boot 2.0 HttpSecurity auth doesn't work without sent Authorization header
我在WebSecurity extends WebSecurityConfigurerAdapter類中具有此安全設置:
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
.addFilterBefore(corsFilter(), SessionManagementFilter.class)
.csrf().disable().authorizeRequests()
.antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()));
}
JWTAuthenticationFilter:
class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter
{
private AuthenticationManager authenticationManager;
private Logger logger = Logger.getLogger("JWTAuthenticationFilter");
JWTAuthenticationFilter(AuthenticationManager authenticationManager)
{
this.authenticationManager = authenticationManager;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
throws AuthenticationException
{
String username = req.getParameter("username");
logger.info("Login attempt with username: " + username);
return authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(username, req.getParameter("password"), new ArrayList<>())
);
}
@Override
protected void successfulAuthentication(
HttpServletRequest req,
HttpServletResponse res,
FilterChain chain,
Authentication auth
)
{
String token = Jwts
.builder()
.setSubject(((User) auth.getPrincipal()).getUsername())
.setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
.signWith(SignatureAlgorithm.HS512, SECRET)
.compact();
res.addHeader(HEADER_STRING, TOKEN_PREFIX + token);
}
}
JWTAuthorizationFilter:
public class JWTAuthorizationFilter extends BasicAuthenticationFilter
{
JWTAuthorizationFilter(AuthenticationManager authManager)
{
super(authManager);
}
@Override
protected void doFilterInternal(
HttpServletRequest req,
HttpServletResponse res,
FilterChain chain
) throws IOException, ServletException
{
String header = req.getHeader(HEADER_STRING);
if (header == null || !header.startsWith(TOKEN_PREFIX))
{
chain.doFilter(req, res);
return;
}
UsernamePasswordAuthenticationToken authentication = getAuthentication(req);
SecurityContextHolder.getContext().setAuthentication(authentication);
chain.doFilter(req, res);
}
private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request)
{
String token = request.getHeader(HEADER_STRING);
if (token != null)
{
String user = Jwts
.parser()
.setSigningKey(SECRET)
.parseClaimsJws(token.replace(TOKEN_PREFIX, ""))
.getBody()
.getSubject();
if (user != null)
{
return new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>());
}
return null;
}
return null;
}
}
有什么問題嗎?
不是專家,但是您可以嘗試使用以下方法在特定位置添加過濾器
.addFilterBefore(new JWTAuthenticationFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class);
讓我知道是否有什么變化
當Spring Boot安全性中的授權服務不起作用時的授權錯誤處理
[英]Authorization Error handling when Authorization service down in Spring boot security doesn't work
Spring啟動安全性不會在configure(HttpSecurity http)方法上重定向oauth / authorize調用
[英]Spring boot security doesn't redirect oauth/authorize calls on configure(HttpSecurity http) method
沒有Spring Boot的Spring Security身份驗證與Spring Boot和類似配置不兼容
[英]Spring security authentication without spring boot doesn't work as opposed to with spring boot and similar configuration
"Spring Boot 2:如果附加了 Authorization 標頭,Basic Http Auth 會導致未受保護的端點以 401“Unauthorized”響應"
[英]Spring Boot 2: Basic Http Auth causes unprotected endpoints to respond with 401 "Unauthorized" if Authorization header is attached
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.