java - 自定义页面的 JWT 标记化跳过 URL
问题描述
我想跳过 /preImages 请求的 JWT 令牌身份验证。
我已经在 JwtSecurityConfig 文件中尝试过,但没有成功。
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/api/preImages");
}
在我的 ServerApplication 中,我编写了这个方法来实现它:
//JwtAuthenticationTokenFilter.java
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
public class JwtAuthenticationTokenFilter extends AbstractAuthenticationProcessingFilter {
public JwtAuthenticationTokenFilter() {
super("/api/**");
}
@Override
public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
String header = httpServletRequest.getHeader("Authorisation");
if (header == null || !header.startsWith("Token ")) {
throw new RuntimeException("JWT Token is missing");
}
String authenticationToken = header.substring(6);
JwtAuthenticationToken token = new JwtAuthenticationToken(authenticationToken);
return getAuthenticationManager().authenticate(token);
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
super.successfulAuthentication(request, response, chain, authResult);
chain.doFilter(request, response);
}
}
//JwtSecurityConfig.java
import java.util.Collections;
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
@Configuration
public class JwtSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationProvider authenticationProvider;
@Autowired
private JwtAuthenticationEntryPoint entryPoint;
@Bean
public AuthenticationManager authenticationManager() {
return new ProviderManager(Collections.singletonList(authenticationProvider));
}
@Bean
public JwtAuthenticationTokenFilter authenticationTokenFilter() {
JwtAuthenticationTokenFilter filter = new JwtAuthenticationTokenFilter();
filter.setAuthenticationManager(authenticationManager());
filter.setAuthenticationSuccessHandler(new JwtSuccessHandler());
return filter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests( ).antMatchers( "/api/preImages" ).permitAll();
http.authorizeRequests().antMatchers("**/api/**").authenticated()
.and()
.exceptionHandling().authenticationEntryPoint(entryPoint)
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(authenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
http.headers().cacheControl();
}
}
但是对于“/api/preImages”请求,它也说“JWT 令牌丢失”。
自定义页面的 JWT 标记化跳过 URL
解决方案
要添加要从过滤/安全中排除的路径,您需要覆盖 WebSecurityConfigurerAdapter 的另一种方法:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/api/preImages");
}
第二种方法可能是当在标头中找不到令牌时不要在过滤器中抛出异常,而是创建“来宾”身份验证。
推荐阅读
- android - 麻省理工学院应用程序发明者休息在平板电脑上运行时返回错误
- macos - 如何将终端样式更改回默认值?
- javascript - 在javascript中计数和重置
- javascript - 使用纯javascript将鼠标悬停在视频上时如何播放视频
- ruby - 向 Middleman 添加自定义 Markdown
- c# - 用一个词多次拆分字符串?
- html - 在换行符中处理边距时,是否有更简单的“calc”替代方法?
- video-streaming - HLS 视频流和聊天消息同步
- ios - 将 AKAudioFile 拆分为由静音分隔的块
- vb.net - VB.NET 不能将 EOF 和 BOF 与 ADODB 记录集一起使用