[英]InsufficientAuthenticationException: Full authentication is required to access this resource
所以我有一個相對簡單的 JWT 身份驗證,並設置了 Spring Boot 安全性。 這包括 3 個過濾器(Jwt、Cors、JwtExceptionHandler)和一個注冊到 HttpSecurity 的異常處理程序。 由於調試原因,我將JwtRequestFilter的doFilterInternal方法設置為空。 僅此一點就沒有問題。 但是,如果同一個過濾器中的shouldNotFilter方法返回true (這意味着將跳過doFilterInternal ),我會收到指定的異常:
org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource
at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:189)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:140)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at at.techsoft.cocos.security.ExceptionHandlerFilter.doFilterInternal(ExceptionHandlerFilter.java:20)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
這是我的WebSecurityConfig類:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final Logger log = LoggerFactory.getLogger(WebSecurityConfig.class);
@Autowired
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
@Autowired
private UserDetailsService jwtUserDetailsService;
@Autowired
private ExceptionHandlerFilter exceptionHandlerFilter;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(jwtUserDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.cors().and().csrf().disable();
httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
httpSecurity.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationEntryPoint);
httpSecurity.headers().frameOptions().disable();
httpSecurity.authorizeRequests()
.antMatchers(Path.ROOT + "/authentication/**", "/*","/share/**", "/css/**", "/img/**", "/js/**", "/console/**").permitAll()
// Disallow everything else..
.antMatchers(HttpMethod.OPTIONS).permitAll()
.anyRequest().authenticated();
httpSecurity.addFilterBefore(new CorsFilterConfig(), ChannelProcessingFilter.class);
httpSecurity.addFilterBefore(new JwtRequestFilter(new StandardJwtValidator(tokenUtil, userRepository, jwtUserDetailsService)), UsernamePasswordAuthenticationFilter.class);
httpSecurity
.addFilterBefore(exceptionHandlerFilter, JwtRequestFilter.class);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers(Path.ROOT + "/authentication/", "/*", "/css/**", "/img/**", "/js/**", "/console/**")
.antMatchers(HttpMethod.OPTIONS, "/**");
}
這是有問題的 JwtRequestFilter:
public class JwtRequestFilter extends OncePerRequestFilter {
private Logger log = LoggerFactory.getLogger(JwtRequestFilter.class);
final
IJwtValidator validator;
public JwtRequestFilter(IJwtValidator validator) {
this.validator = validator;
}
@Override
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
//SecurityContextHolder.getContext().setAuthentication(validator.getAuthenticatioNToken(request));
}
@Override
protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
return true;
}
}
在谷歌搜索異常時,幾乎所有的答案都包括 oauth2 身份驗證,但我不使用 oauth2。
我應該補充一點,這種特殊情況永遠不會發生,但我覺得存在一些潛在問題,導致系統其他部分出現錯誤。
編輯:根據請求,我將添加 application.properties:
jwt.secret=javainuse
logging.level.at=DEBUG
logging.level.org.springframework.web=DEBUG
spring.jpa.hibernate.ddl-auto= create-drop
spring.jpa.open-in-view=true #i know this shouldn't be used
#database location
#left out for post
# H2
spring.h2.console.enabled=true
spring.h2.console.path=/h2/
spring.datasource.url=#left out again
請求頭:
> GET /api/v1/groups/ HTTP/1.1
> Host: localhost:8080
> User-Agent: insomnia/7.0.5
> Cookie: JSESSIONID=199D19CCD05968D3E8CF0C97A1DE2CD5
> Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJ0c2FkbWluIiwiZXhwIjoxNTc1NTY0MjcxLCJpYXQiOjE1NzU1NDYyNzF9.dCXO2LFaZy8LTFRCA14gHAhA1kUUSy6pCZ7Joad2z1y1G50PSVC2mPz56odA5LmIHOxhjnZrrxAbGyuX2NWgWQ
> Accept: */*
您可以參考下面提到的文章,它可能會有所幫助
使用 jwt-a-real-world-example 保護您的春天restful-apis
在你的 spring-boot 項目中,如果你有 application.properties 文件或 application.yml 文件也共享。 它是服務器到服務器的身份驗證還是客戶端到服務器? 請分享請求標頭的詳細信息
對於在我之后尋找解決方案的任何人:這是doFilterInternal方法中的一行代碼。 最后我加了
chain.doFilter(request, response);
這為我修復了它。
POST 請求 org.springframework.security.authentication.InsufficientAuthenticationException: 訪問此資源需要完全認證
[英]POST request org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource
Jhipster gateway 需要完整的身份驗證才能訪問此資源
[英]Jhipster gateway Full authentication is required to access this resource
未經授權的錯誤:需要完全身份驗證才能訪問此資源
[英]Unauthorized error: Full authentication is required to access this resource
使用Spring Security和Keycloak訪問此資源需要完全認證
[英]Full authentication is required to access this resource with Spring Security and Keycloak
Spring-Security-Oauth2:訪問此資源需要完全身份驗證
[英]Spring-Security-Oauth2: Full authentication is required to access this resource
測試彈簧安全站。 需要完全認證才能訪問此資源
[英]Testing spring security post. Full authentication is required to access this resource
spring oauth錯誤,需要完全認證才能訪問此資源
[英]spring oauth error Full authentication is required to access this resource
啟動應用程序時“未授權:訪問此資源需要完全身份驗證”
[英]"Unauthorized: Full authentication is required to access this resource" when booting up the app
使用 JWT 授權時獲取“訪問此資源需要完全身份驗證”
[英]Getting "Full authentication is required to access this resource" when using JWT grant
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.