spring-security 在JwtAuthenticationFilter之前执行一次请求过滤器

yshpjwxd  于 2022-11-11  发布在  Spring
关注(0)|答案(1)|浏览(271)

我有一个设置,我需要在其中进行租户感知的身份验证和授权。

  1. @Order(Ordered.LOWEST_PRECEDENCE - 100)
  2. public class TenantFilter extends OncePerRequestFilter {
  3.     private static final Logger logger = LoggerFactory.getLogger(TenantFilter.class);
  5.     private static final String TENANT_HEADER = "X-Tenant"; 
  6.     private static final String CONNECTION_STRING = "ObfuscatedConnectionString";
  7.     private static final String TENANT_REPLACEMENT = "TENANT";
  9.     @Override
  10.     protected void doFilterInternal (HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
  11.         String dbConnectionString = CONNECTION_STRING.replace(TENANT_REPLACEMENT, "");
  12.         ConnectionStorage.setConnection(dbConnectionString);
  13.         filterChain.doFilter(request, response);
  14.         ConnectionStorage.clear();
  15.     }
  16. }

虽然我知道有一些地方可以改进,但这只是一个占位符,以便能够测试该机制。2实际的实现将在后面进行。3当在不需要添加JWT的情况下进行测试时,它可以按预期工作,并且在给定正确的前提条件的情况下根据请求切换承租人。
但是,我不想在每个请求上都发送用户名+密码,而想在混合中添加一个JWT。

  1. public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
  2.     private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class);
  4.     private AuthenticationManager authenticationManager;
  6.     public JwtAuthenticationFilter (AuthenticationManager authenticationManager) {
  7.         this.authenticationManager = authenticationManager;
  8.     }
  10.     @Override
  11.     public Authentication attemptAuthentication (HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
  12.         logger.info("Attempting authentication");
  13.         try {
  14.             UserRequest creds = new ObjectMapper()
  15.                 .readValue(request.getInputStream(), UserRequest.class);
  17.             return authenticationManager.authenticate(
  18.                 new UsernamePasswordAuthenticationToken(
  19.                     creds.getUsername(),
  20.                     creds.getPassword(),
  21.                     new ArrayList<>())
  22.             );
  23.         } catch (IOException e) {
  24.             throw new RuntimeException(e);
  25.         }
  26.     }
  28.     @Override
  29.     protected void successfulAuthentication (HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication auth) throws IOException, ServletException {
  30.         logger.info("Authentication successful");
  31.         String token = JWT.create()
  32.             .withSubject(((User) auth.getPrincipal()).getUsername())
  33.             .withExpiresAt(new Date(System.currentTimeMillis() + (JWTConstants.ACCESS_TOKEN_VALIDITY_SECONDS * 1000)))
  34.             .sign(Algorithm.HMAC512(JWTConstants.SIGNING_KEY.getBytes()));
  35.         response.addHeader(JWTConstants.HEADER_STRING, JWTConstants.TOKEN_PREFIX + token);
  36.     }
  37. }

  1. public class JwtAuthorizationFilter extends BasicAuthenticationFilter {
  2.     private static final Logger logger = LoggerFactory.getLogger(JwtAuthorizationFilter.class);
  4.     public JwtAuthorizationFilter (AuthenticationManager authenticationManager) {
  5.         super(authenticationManager);
  6.     }
  8.     @Override
  9.     protected void doFilterInternal (HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
  10.         logger.info("Doing filter internal");
  11.         String header = request.getHeader(JWTConstants.HEADER_STRING);
  13.         if (header == null || !header.startsWith(JWTConstants.TOKEN_PREFIX)) {
  14.             chain.doFilter(request, response);
  15.             return;
  16.         }
  18.         UsernamePasswordAuthenticationToken authentication = getAuthentication(request);
  20.         SecurityContextHolder.getContext().setAuthentication(authentication);
  21.         chain.doFilter(request, response);
  22.     }
  24.     private UsernamePasswordAuthenticationToken getAuthentication (HttpServletRequest request) {
  25.         String token = request.getHeader(JWTConstants.HEADER_STRING);
  26.         if (token != null) {
  27.             // parse the token.
  28.             String user = JWT.require(Algorithm.HMAC512(JWTConstants.SIGNING_KEY.getBytes()))
  29.                 .build()
  30.                 .verify(token.replace(JWTConstants.TOKEN_PREFIX, ""))
  31.                 .getSubject();
  33.             if (user != null) {
  34.                 return new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>());
  35.             }
  36.             return null;
  37.         }
  38.         return null;
  39.     }
  41. }

为我的请求提供身份验证。在/api/user/login中有一个用户名和密码,还有一个jwt标记用于其他所有内容。
然而,看起来好像首先执行安全过滤器,并且我的承租人过滤器对于设置要转到的正确DB的connectionstring相当重要。
版本:springframework。 Boot :2.6.2

spring-security

1条答案

按热度按时间
7d7tgy0s

7d7tgy0s1#

你可以看看这个答案:https://stackoverflow.com/a/59340951这将使您能够最大限度地控制过滤器的执行时间。
我想(但我可能错了)@Order(Ordered.HIGHEST_PRECEDENCE)也可能会起作用。虽然措辞有点奇怪,但Ordered.HIGHEST_PRECEDENCE会给你Integer.MIN_VALUE,较低的值会先执行。
顺便说一句,在编写您自己的JWT验证过滤器之前,还请查看Spring Security的OAuth 2.0功能(除非您有特定的情况):https://docs.spring.io/spring-security/reference/6.0.0-M1/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-minimalconfiguration

赞(0)分享  回复(0)举报  2022-11-11
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com