我有一个简单的spring引导应用程序,它使用了带有jwt过滤器的Spring Security
所有这些都可以正常工作,但当我试图在侦听器中捕捉身份验证成功和失败的事件时,
这不起作用认证事件从来没有发生过我找不到问题所在
这是我的安全类配置:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
@FieldDefaults(level = PRIVATE, makeFinal = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher(
new AntPathRequestMatcher("/public/**"),
new AntPathRequestMatcher("/h2-console/**"),
new AntPathRequestMatcher("/v3/api-docs/**"),
new AntPathRequestMatcher("/swagger-ui/**"),
new AntPathRequestMatcher("/swagger-ui.html")
);
private static final RequestMatcher PROTECTED_URLS = new NegatedRequestMatcher(PUBLIC_URLS);
TokenAuthenticationProvider provider;
SecurityConfig(final TokenAuthenticationProvider provider) {
super();
this.provider = requireNonNull(provider);
}
/* @Override
protected void configure(final AuthenticationManagerBuilder auth) {
auth.authenticationProvider(provider);
}*/
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationEventPublisher(authenticationEventPublisher());
}
@Override
public void configure(final WebSecurity web) {
web.ignoring().requestMatchers(PUBLIC_URLS);
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(STATELESS)
.and()
.exceptionHandling()
// this entry point handles when you request a protected page and you are not yet
// authenticated
.defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS)
.and()
.authenticationProvider(provider)
.addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter.class)
.authorizeRequests()
.requestMatchers(PROTECTED_URLS)
.authenticated()
.and()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.logout().disable();
// h2 console config
http.headers().frameOptions().sameOrigin();
}
@Bean
TokenAuthenticationFilter restAuthenticationFilter() throws Exception {
final TokenAuthenticationFilter filter = new TokenAuthenticationFilter(PROTECTED_URLS);
filter.setAuthenticationManager(authenticationManager());
filter.setAuthenticationSuccessHandler(successHandler());
return filter;
}
@Bean
public DefaultAuthenticationEventPublisher authenticationEventPublisher() {
return new DefaultAuthenticationEventPublisher();
}
@Bean
SimpleUrlAuthenticationSuccessHandler successHandler() {
final SimpleUrlAuthenticationSuccessHandler successHandler = new SimpleUrlAuthenticationSuccessHandler();
successHandler.setRedirectStrategy(new NoRedirectStrategy());
return successHandler;
}
@Bean
PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
/**
* Disable Spring boot automatic filter registration.
*/
@Bean
FilterRegistrationBean disableAutoRegistration(final TokenAuthenticationFilter filter) {
final FilterRegistrationBean registration = new FilterRegistrationBean(filter);
registration.setEnabled(false);
return registration;
}
@Bean
AuthenticationEntryPoint forbiddenEntryPoint() {
return new HttpStatusEntryPoint(FORBIDDEN);
}我的tokenauthenticationfilter是接口的一个实现:abstractauthenticationprocessingfilter
我的听众们:
@Slf4j
@Component
@RequiredArgsConstructor
public class AuthenticationFailureListener {
private final LoginFailureRepository loginFailureRepository ;
private final UserRepository userRepository;
@EventListener
public void listen(AuthenticationFailureBadCredentialsEvent event){
log.info("Login Failed");
LoginFailure.LoginFailureBuilder builder = LoginFailure.builder();
if(event.getSource() instanceof UsernamePasswordAuthenticationToken){
UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) event.getSource();
if(token.getPrincipal() instanceof String){
String userName =(String) token.getPrincipal();
builder.userName(userName);
log.info("Attempted username : {}",userName);
userRepository.findByUsername(userName).ifPresent(builder::user);
}
if(token.getPrincipal() instanceof WebAuthenticationDetails){
WebAuthenticationDetails details =(WebAuthenticationDetails) token.getDetails();
builder.sourceIp(details.getRemoteAddress());
log.info("User remote address : {}",details.getRemoteAddress());
}
}
LoginFailure loginFailure = loginFailureRepository.save(builder.build());
log.info("saving login failure : {}",loginFailure);
}
}
@Slf4j
@Component
@RequiredArgsConstructor
public class AuthenticationSuccessListener {
private final LoginSuccessRepository loginSuccessRepository ;
@EventListener
public void listen(AuthenticationSuccessEvent event){
log.info("--------------- USER LOGGED WITH SUCCESS ----------------------");
LoginSuccess.LoginSuccessBuilder builder = LoginSuccess.builder();
if(event.getSource() instanceof UsernamePasswordAuthenticationToken){
UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) event.getSource();
if(token.getPrincipal() instanceof User){
User user =(User) token.getPrincipal();
builder.user(user);
log.info("User name login in : {}",user.getUsername());
}
if(token.getPrincipal() instanceof WebAuthenticationDetails){
WebAuthenticationDetails details =(WebAuthenticationDetails) token.getDetails();
builder.sourceIp(details.getRemoteAddress());
log.info("User remote address : {}",details.getRemoteAddress());
}
}
LoginSuccess loginSuccess = loginSuccessRepository.save(builder.build());
log.info("saving login success : {}",loginSuccess);
}
}这是我的开始日志:
SecurityAutoConfiguration matched:
- @ConditionalOnClass found required class 'org.springframework.security.authentication.DefaultAuthenticationEventPublisher' (OnClassCondition)
2021-01-09 21:42:28.413 DEBUG 49828 --- [ restartedMain] o.s.b.f.s.DefaultListableBeanFactory : Creating shared instance of singleton bean 'authenticationFailureListener'
2021-01-09 21:42:28.422 DEBUG 49828 --- [ restartedMain] o.s.b.f.s.DefaultListableBeanFactory : Creating shared instance of singleton bean 'authenticationSuccessListener'
1条答案
按热度按时间lfapxunr1#
您需要在安全配置中配置处理程序。
成功处理程序需要实现接口“authenticationsuccesshandler”,例如:
故障处理程序需要实现接口“authenticationfailurehandler”,例如: