我开始了一个新的spring 3.0.2项目,我尝试创建一个register/login rest API,现在我是一个初学者。我设法让这个工作,但当我的用户被验证后,我有一个第三个控制器,将显示信息。然而,我总是得到403响应。我正在使用JWT令牌库来管理请求,这里是我项目的一些代码。
我的配置过滤请求,因为你可以只有2个端点是免费访问,我希望所有其余的被锁定到认证用户只。
private final Filter tokenAuthentificationFilter;
private final AuthenticationProvider authentificationProvider;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.csrf()
.and()
.authorizeHttpRequests()
.requestMatchers("/api/v1/auth/**", "/api/v1/test-controller")
.permitAll()
.anyRequest()
.authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authenticationProvider(authentificationProvider)
.addFilterBefore(tokenAuthentificationFilter, UsernamePasswordAuthenticationFilter.class);
return httpSecurity.build();
}
如果未连接,则/API/v1/auth和/test-controller正常工作,但连接后,我有一个“受保护”端点/protected,它将返回403(下面是我的tokenAuthenticationFilter类
@Component
@RequiredArgsConstructor
public class TokenAuthentificationFilter extends OncePerRequestFilter {
private final JwtService jwtService;
private final UserDetailsService userDetailsService;
@Override
protected void doFilterInternal( HttpServletRequest request, HttpServletResponse response, FilterChain filterChain
) throws ServletException, IOException {
String authorizationHeader = request.getHeader("Authorization");
String authToken;
String userEmail;
if(authorizationHeader == null || !authorizationHeader.startsWith("Bearer")){
filterChain.doFilter(request, response);
return;
}
authToken = authorizationHeader.substring(7);
userEmail = jwtService.extractEmail(authToken);// TODO extract userEmail from JWT Token;
if(userEmail != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(userEmail);
if(jwtService.isTokenValid(authToken, userDetails)) {
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(
userDetails,
null,
userDetails.getAuthorities()
);
authenticationToken.setDetails(
new WebAuthenticationDetailsSource().buildDetails(request)
);
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
}
}
filterChain.doFilter(request, response);
}
}
我的控制台中没有日志错误
1条答案
按热度按时间9o685dep1#
代码对我来说似乎很好,但这可能不是导致问题的原因,请尝试在代码中放入一些print语句。查看从过滤器到端点的请求流。然后尝试点击***受保护的端点***,它应该会给予您知道请求在哪里被阻止。然后尝试从那里开始工作,这就是我解决大多数Spring安全问题的方法。