我有以下Web安全配置:
@Autowired
private ApplicationAuthenticationProvider appProvider;
@Bean
@Qualifier("apiAuthenticationFilter")
public TokenAuthenticationFilter apiAuthenticationFilter(TokenAuthenticationFailureHandler failureHandler,
TokenAuthenticationSuccessHandler successHandler) throws Exception {
TokenAuthenticationFilter filter = new TokenAuthenticationFilter();
filter.setAuthenticationManager(authenticationManagerBean());
filter.setAuthenticationFailureHandler(failureHandler);
filter.setAuthenticationSuccessHandler(successHandler);
return filter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**")
.authorizeRequests()
.antMatchers("/api/oauth2/token", "/api/oauth2/application/token").permitAll()
.antMatchers("/api/internal**").hasAuthority("READ_ALL")
.anyRequest().authenticated()
.and()
.addFilterBefore(apiAuthenticationFilter(null, null), UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(this.appProvider)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.FORBIDDEN))
.and()
.cors().disable()
.formLogin().disable()
.csrf().disable()
.logout().disable();
}我试着进入 http://localhost:8080/api/oauth2/token?client_id=...&other_query_params=param ,而不是访问该页,如此处所配置的:
.antMatchers("/oauth2/token", "/oauth2/application/token").permitAll()它调用过滤器链和此处添加的过滤器:
.addFilterBefore(apiAuthenticationFilter(null, null), UsernamePasswordAuthenticationFilter.class)它拒绝了我的请求,因为缺少一个令牌,但它应该被允许。
我的日志是这样写的:
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/oauth2/token'; against '/api/**'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 4 of 10 in additional filter chain; firing Filter: 'TokenAuthenticationFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/oauth2/token'; against '/api/**'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] d.t.o.a.a.TokenAuthenticationFilter : Request is to process authentication
26-01-2021 INFO 17744 --- [nio-8080-exec-1] d.t.o.a.a.TokenAuthenticationFilter : Invoked attempAuthentication
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] d.t.o.a.a.TokenAuthenticationFilter : Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Invalid token submitted: null
1条答案
按热度按时间hc2pp10m1#
好的,我现在修复了这个错误,这是一个逻辑错误。我想解释一下问题出在哪里。
因为我想在我的应用程序中使用oauth2身份验证,所以我添加了一个名为
TokenAuthenticationFilter为了得到Authorization标头并使用该标头中的凭据进行身份验证。但我的过滤器并没有限制应用的情况。所以所有的请求,也就是“permitall”请求都要通过这个过滤器,并且由于没有身份验证而被拒绝。所以我修改了我的代码,只有在设置了“authorization”头的情况下才应用过滤器,现在一切正常了。