spring忽略了所有规则

kq4fsx7k  于 2021-07-24  发布在  Java
关注(0)|答案(1)|浏览(271)

我有以下Web安全配置:

@Autowired
        private ApplicationAuthenticationProvider appProvider;

        @Bean
        @Qualifier("apiAuthenticationFilter")
        public TokenAuthenticationFilter apiAuthenticationFilter(TokenAuthenticationFailureHandler failureHandler,
                TokenAuthenticationSuccessHandler successHandler) throws Exception {
            TokenAuthenticationFilter filter = new TokenAuthenticationFilter();
            filter.setAuthenticationManager(authenticationManagerBean());
            filter.setAuthenticationFailureHandler(failureHandler);
            filter.setAuthenticationSuccessHandler(successHandler);
            return filter;
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.antMatcher("/api/**")
                .authorizeRequests()
                .antMatchers("/api/oauth2/token", "/api/oauth2/application/token").permitAll()
                .antMatchers("/api/internal**").hasAuthority("READ_ALL")
                .anyRequest().authenticated()
                .and()
                .addFilterBefore(apiAuthenticationFilter(null, null), UsernamePasswordAuthenticationFilter.class)
                .authenticationProvider(this.appProvider)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .exceptionHandling()
                .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.FORBIDDEN))
                .and()
                .cors().disable()
                .formLogin().disable()
                .csrf().disable()
                .logout().disable();
        }

我试着进入 http://localhost:8080/api/oauth2/token?client_id=...&other_query_params=param ,而不是访问该页,如此处所配置的:

.antMatchers("/oauth2/token", "/oauth2/application/token").permitAll()

它调用过滤器链和此处添加的过滤器:

.addFilterBefore(apiAuthenticationFilter(null, null), UsernamePasswordAuthenticationFilter.class)

它拒绝了我的请求,因为缺少一个令牌,但它应该被允许。
我的日志是这样写的:

26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/api/oauth2/token'; against '/api/**'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /api/oauth2/token?client_id=123&client_secret=secret&code=code&grant_type=authorization_code at position 4 of 10 in additional filter chain; firing Filter: 'TokenAuthenticationFilter'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/api/oauth2/token'; against '/api/**'
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] d.t.o.a.a.TokenAuthenticationFilter      : Request is to process authentication
26-01-2021  INFO 17744 --- [nio-8080-exec-1] d.t.o.a.a.TokenAuthenticationFilter      : Invoked attempAuthentication
26-01-2021 DEBUG 17744 --- [nio-8080-exec-1] d.t.o.a.a.TokenAuthenticationFilter      : Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Invalid token submitted: null
hc2pp10m

hc2pp10m1#

好的,我现在修复了这个错误,这是一个逻辑错误。我想解释一下问题出在哪里。
因为我想在我的应用程序中使用oauth2身份验证,所以我添加了一个名为 TokenAuthenticationFilter 为了得到 Authorization 标头并使用该标头中的凭据进行身份验证。但我的过滤器并没有限制应用的情况。所以所有的请求,也就是“permitall”请求都要通过这个过滤器,并且由于没有身份验证而被拒绝。所以我修改了我的代码,只有在设置了“authorization”头的情况下才应用过滤器,现在一切正常了。

相关问题