403用于所有使用Spring Security的受保护路由

bkhjykvo  于 2023-02-19  发布在  Spring
关注(0)|答案(1)|浏览(169)

我开始了一个新的spring 3.0.2项目,我尝试创建一个register/login rest API,现在我是一个初学者。我设法让这个工作,但当我的用户被验证后,我有一个第三个控制器,将显示信息。然而,我总是得到403响应。我正在使用JWT令牌库来管理请求,这里是我项目的一些代码。
我的配置过滤请求,因为你可以只有2个端点是免费访问,我希望所有其余的被锁定到认证用户只。

private final Filter tokenAuthentificationFilter;
    private final AuthenticationProvider authentificationProvider;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .csrf()
                .and()
                .authorizeHttpRequests()
                .requestMatchers("/api/v1/auth/**", "/api/v1/test-controller")
                .permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authenticationProvider(authentificationProvider)
                .addFilterBefore(tokenAuthentificationFilter, UsernamePasswordAuthenticationFilter.class);

        return httpSecurity.build();
    }

如果未连接,则/API/v1/auth和/test-controller正常工作,但连接后,我有一个“受保护”端点/protected,它将返回403(下面是我的tokenAuthenticationFilter类

@Component
@RequiredArgsConstructor
public class TokenAuthentificationFilter extends OncePerRequestFilter {

    private final JwtService jwtService;

    private final UserDetailsService userDetailsService;

    @Override
    protected void doFilterInternal( HttpServletRequest request, HttpServletResponse response, FilterChain filterChain
    ) throws ServletException, IOException {
        String authorizationHeader = request.getHeader("Authorization");
        String authToken;
        String userEmail;
        if(authorizationHeader == null || !authorizationHeader.startsWith("Bearer")){
            filterChain.doFilter(request, response);
            return;
        }
        authToken = authorizationHeader.substring(7);
        userEmail = jwtService.extractEmail(authToken);// TODO extract userEmail from JWT Token;
        if(userEmail != null && SecurityContextHolder.getContext().getAuthentication() == null) {
            UserDetails userDetails = this.userDetailsService.loadUserByUsername(userEmail);
            if(jwtService.isTokenValid(authToken, userDetails)) {
                UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(
                        userDetails,
                        null,
                        userDetails.getAuthorities()
                );
                authenticationToken.setDetails(
                        new WebAuthenticationDetailsSource().buildDetails(request)
                );
                SecurityContextHolder.getContext().setAuthentication(authenticationToken);
            }
        }
        filterChain.doFilter(request, response);
    }
}

我的控制台中没有日志错误

9o685dep

9o685dep1#

代码对我来说似乎很好,但这可能不是导致问题的原因,请尝试在代码中放入一些print语句。查看从过滤器到端点的请求流。然后尝试点击***受保护的端点***,它应该会给予您知道请求在哪里被阻止。然后尝试从那里开始工作,这就是我解决大多数Spring安全问题的方法。

相关问题