spring - 运行时未调用自定义弹簧安全过滤器
问题描述
我正在尝试在 Spring Boot Rest 服务项目中启用 Spring Security,但遇到了一些问题。
我用这段代码配置了它
@Configuration
@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private LdapAuthenticationProvider ldapAuthenticationProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic().and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(ldapAuthenticationProvider);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
并实现了一个自定义身份验证提供程序以登录 LDAP(它具有非标准配置,因此我无法使默认 ldap 提供程序工作)
@Component
public class LdapAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
String email = authentication.getName();
String password = authentication.getCredentials().toString();
LdapConnection ldap = new LdapConnection();
String uid = ldap.getUserUID(email);
if(uid == null || uid == ""){
throw new BadCredentialsException("User " + email + " not found");
}
if(ldap.login(uid, password)){
return new UsernamePasswordAuthenticationToken(uid, null, new ArrayList<>());
}else{
throw new BadCredentialsException("Bad credentials");
}
}
@Override
public boolean supports(Class<?> authentication) {
return true;
//To indicate that this authenticationprovider can handle the auth request. since there's currently only one way of logging in, always return true
}
}
这段代码运行良好,因为使用基本授权标头调用我的服务,它能够正确登录并返回调用的服务。当我尝试插入不同的授权/身份验证时,问题就开始了。我不想使用基本身份验证,而是想从我的反应前端中的表单传递凭据,所以我想在 POST 调用中将它们作为 json 主体传递。(想法是生成一个 jwt 令牌并将其用于以下通信)。
所以我将配置方法更改为:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
并定义了一个自定义身份验证过滤器:
public class JWTAuthenticationFilter extends
UsernamePasswordAuthenticationFilter {
@Autowired
private AuthenticationManager authenticationManager;
public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res) throws AuthenticationException{
String requestBody;
try{
requestBody = IOUtils.toString(req.getReader());
JsonParser jsonParser = JsonParserFactory.getJsonParser();
Map<String, Object> requestMap = jsonParser.parseMap(requestBody);
return authenticationManager.authenticate( new UsernamePasswordAuthenticationToken(requestMap.get("email"), requestMap.get("password"), new ArrayList<>()));
}catch(IOException e){
throw new InternalAuthenticationServiceException("Something goes wrong parsing the request body",e );
}
}
@Override
protected void successfulAuthentication(HttpServletRequest req, HttpServletResponse res, FilterChain chain, Authentication auth) throws IOException{
JwtTokenProvider tokenProvider = new JwtTokenProvider();
String token = tokenProvider.generateToken(auth.getPrincipal().toString());
Cookie cookie = new Cookie("jwt",token);
cookie.setHttpOnly(true);
cookie.setSecure(true);
res.addCookie(cookie);
}
}
问题是,无论我在做什么,运行时似乎根本没有进入这个过滤器。我错过了什么?我想这是一件大而愚蠢的事情,但我无法弄清楚......
更新:问题似乎是 UsernamePassWordAuthenticationFilter 只能通过表单调用。然后,我将代码更改为扩展 AbstractAuthenticationProcessingFilter。
修改后的过滤器:
public class JWTAuthenticationFilter extends
AbstractAuthenticationProcessingFilter {
private AuthenticationManager authenticationManager;
public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
super("/api/secureLogin");
this.authenticationManager = authenticationManager;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res) throws AuthenticationException{
String requestBody;
try{
requestBody = IOUtils.toString(req.getReader());
JsonParser jsonParser = JsonParserFactory.getJsonParser();
Map<String, Object> requestMap = jsonParser.parseMap(requestBody);
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(requestMap.get("email"), requestMap.get("password"), new ArrayList<>());
return authenticationManager.authenticate(token);
}catch(IOException e){
throw new InternalAuthenticationServiceException("Something goes wrong parsing the request body",e );
}
}
}
以及修改后的配置方法:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers(HttpMethod.POST, "/api/secureLogin").permitAll()
.antMatchers(HttpMethod.GET, "/api").permitAll()
.antMatchers("/api/**").authenticated()
.and()
.addFilterBefore(new JWTAuthenticationFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
解决方案
您希望通过访问路径来触发过滤器api/secureLogin
。默认情况下UsernamePasswordAuthenticationFilter
仅通过访问触发/login
。
JWTAuthenticationFilter
如果您在which extends的构造函数中添加以下行,UsernamePasswordAuthenticationFilter
它应该可以工作:
this.setFilterProcessesUrl("/api/secureLogin");
推荐阅读
- vue.js - 隐藏和显示组件
- python - df.update() 或 df.fillna() 不能将数据框中的 NaN 值替换为另一个数据框值
- c# - 在使用 GraphQL.client 使用 API 时添加内容类型标头
- crystal-reports - Crystal Report:删除 excel 中空的多余行详细信息部分
- discord.py - on_raw_reaction_add 不适用于 ctx 及其属性“作者”
- apache-spark - 使用 spark-submit 将数据加载到 SQL Server 时的 Parquet 列问题
- php - 如何放置与方法相关的位置?
- python - 矩阵大小不兼容 - Keras Tensorflow
- reactjs - setTimeout 没有执行(没有错误信息),为什么?
- julia - Julia中的张量模式n乘积