Spring 安全性中的方法 configure(WebSecurity web) 不起作用
Method configure(WebSecurity web) in Spring Security doesn't work
我在 Spring 安全配置方面遇到问题,方法 configure(WebSecurity) 无法正常工作,下面是我的源代码:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilter(jwtAuthenticationTokenFilter())
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers("/auth",
"/v2/api-docs",
"/swagger-resources/**",
"/configuration/**",
"/swagger-ui.html",
"/webjars/**",
"/", "/refreshconfig", "/*.html", "/*.gif", "/favicon.ico", "/**/*.html", "/**/*.gif",
"/**/*.css", "/**/*.js");
}
public class JwtAuthenticationTokenFilter extends BasicAuthenticationFilter {
private static final Logger log = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class);
@Autowired
private JwtTokenUtil jwtTokenUtil;
public JwtAuthenticationTokenFilter(JwtTokenUtil jwtTokenUtil, AuthenticationManager authenticationManager) {
super(authenticationManager);
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws IOException, ServletException {
String token = request.getHeader(JwtTokenUtil.TOKEN_HEADER);
Authentication authentication = null;
try {
if (StringUtils.isNotBlank(token) && token.startsWith(JwtTokenUtil.TOKEN_PREFIX)) {
log.info("JWT found {}", token);
authentication = jwtTokenUtil.getAuthentication(token.replace(JwtTokenUtil.TOKEN_PREFIX, ""));
SecurityContextHolder.getContext().setAuthentication(authentication);
} else if (SecurityContextHolder.getContext().getAuthentication() != null
&& SecurityContextHolder.getContext().getAuthentication().isAuthenticated()) {
log.info("User already authenticated {}",
SecurityContextHolder.getContext().getAuthentication().getPrincipal());
} else {
log.info("Invalid JWT {}", token);
}
filterChain.doFilter(request, response);
} catch (ExpiredJwtException ex) {
response.setContentType("application/json");
response.setStatus(HttpStatus.SC_INSUFFICIENT_SPACE_ON_RESOURCE);
ErrorObj err = new ErrorObj(GamblingErrors.UNAUTHORIZED.getCode(), ex.getMessage());
log.info("OUT ERROR END: {}", err.toString());
response.getOutputStream().println(err.toString());
} catch (UnsupportedJwtException | MalformedJwtException | SignatureException | IllegalArgumentException ex) {
response.setContentType("application/json");
response.setStatus(HttpStatus.SC_UNAUTHORIZED);
ErrorObj err = new ErrorObj(GamblingErrors.UNAUTHORIZED.getCode(), ex.getMessage());
log.info("OUT ERROR END: {}", err.toString());
response.getOutputStream().println(err.toString());
}
}
}
即使使用 configure(WebSecurity web) 方法,在 configure(HttpSecurity) 添加的过滤器仍然适用于所有资源,不考虑 web.ignoring。
有人可以告诉我为什么它不起作用吗?
根据问题中不完整的源代码,我可能会建议 Spring Boot 将 JwtAuthenticationTokenFilter class自动进入过滤器链。因此,尽管在安全配置的 ignoring() 方法中排除 /auth/ 是正确的,但这不足以阻止过滤器在 [=22 的上下文中发生=] 引导自己。解决方案是从 jwtAuthenticationTokenFilter() 方法中删除注释 @Bean 或按照
中解释的其他方式
我在 Spring 安全配置方面遇到问题,方法 configure(WebSecurity) 无法正常工作,下面是我的源代码:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilter(jwtAuthenticationTokenFilter())
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers("/auth",
"/v2/api-docs",
"/swagger-resources/**",
"/configuration/**",
"/swagger-ui.html",
"/webjars/**",
"/", "/refreshconfig", "/*.html", "/*.gif", "/favicon.ico", "/**/*.html", "/**/*.gif",
"/**/*.css", "/**/*.js");
}
public class JwtAuthenticationTokenFilter extends BasicAuthenticationFilter {
private static final Logger log = LoggerFactory.getLogger(JwtAuthenticationTokenFilter.class);
@Autowired
private JwtTokenUtil jwtTokenUtil;
public JwtAuthenticationTokenFilter(JwtTokenUtil jwtTokenUtil, AuthenticationManager authenticationManager) {
super(authenticationManager);
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws IOException, ServletException {
String token = request.getHeader(JwtTokenUtil.TOKEN_HEADER);
Authentication authentication = null;
try {
if (StringUtils.isNotBlank(token) && token.startsWith(JwtTokenUtil.TOKEN_PREFIX)) {
log.info("JWT found {}", token);
authentication = jwtTokenUtil.getAuthentication(token.replace(JwtTokenUtil.TOKEN_PREFIX, ""));
SecurityContextHolder.getContext().setAuthentication(authentication);
} else if (SecurityContextHolder.getContext().getAuthentication() != null
&& SecurityContextHolder.getContext().getAuthentication().isAuthenticated()) {
log.info("User already authenticated {}",
SecurityContextHolder.getContext().getAuthentication().getPrincipal());
} else {
log.info("Invalid JWT {}", token);
}
filterChain.doFilter(request, response);
} catch (ExpiredJwtException ex) {
response.setContentType("application/json");
response.setStatus(HttpStatus.SC_INSUFFICIENT_SPACE_ON_RESOURCE);
ErrorObj err = new ErrorObj(GamblingErrors.UNAUTHORIZED.getCode(), ex.getMessage());
log.info("OUT ERROR END: {}", err.toString());
response.getOutputStream().println(err.toString());
} catch (UnsupportedJwtException | MalformedJwtException | SignatureException | IllegalArgumentException ex) {
response.setContentType("application/json");
response.setStatus(HttpStatus.SC_UNAUTHORIZED);
ErrorObj err = new ErrorObj(GamblingErrors.UNAUTHORIZED.getCode(), ex.getMessage());
log.info("OUT ERROR END: {}", err.toString());
response.getOutputStream().println(err.toString());
}
}
}
即使使用 configure(WebSecurity web) 方法,在 configure(HttpSecurity) 添加的过滤器仍然适用于所有资源,不考虑 web.ignoring。
有人可以告诉我为什么它不起作用吗?
根据问题中不完整的源代码,我可能会建议 Spring Boot 将 JwtAuthenticationTokenFilter class自动进入过滤器链。因此,尽管在安全配置的 ignoring() 方法中排除 /auth/ 是正确的,但这不足以阻止过滤器在 [=22 的上下文中发生=] 引导自己。解决方案是从 jwtAuthenticationTokenFilter() 方法中删除注释 @Bean 或按照