Spring Security H2访问被拒绝

taor4pac  于 2023-03-02  发布在  Spring
关注(0)|答案(1)|浏览(281)
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfiguration {

  private final JwtAuthenticationFilter jwtAuthFilter;
  private final AuthenticationProvider authenticationProvider;

  @Bean
  public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

    http
        .headers()
            .frameOptions().disable()
            .and()
        .csrf().disable()
        .authorizeHttpRequests()
            .requestMatchers("/h2/**").permitAll()
            .requestMatchers("/api/v1/auth/**").permitAll()
            .anyRequest().authenticated()
            .and()
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
        .authenticationProvider(authenticationProvider)
        .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);

    return http.build();
  }
}

我有一个config类,我在代码中放置了.requestMatchers("/h2/**").permitAll(),但是当我访问http://localhost:8080/h2时,我得到了:
对本地主机的访问被拒绝
JwtAuthenticationFilter:

public class JwtAuthenticationFilter extends OncePerRequestFilter {

    private final JwtService jwtService;
    private final UserDetailsService userDetailsService;

    @Override
    protected void doFilterInternal(
            @NonNull HttpServletRequest request,
            @NonNull HttpServletResponse response,
            @NonNull FilterChain filterChain
    ) throws ServletException, IOException {
        final String authHeader = request.getHeader("Authorization");
        final String jwt;
        final String userEmail;
        if (authHeader == null ||!authHeader.startsWith("Bearer ")) {
            filterChain.doFilter(request, response);
            return;
        }
        jwt = authHeader.substring(7);
        userEmail = jwtService.extractUsername(jwt);
        if (userEmail != null && SecurityContextHolder.getContext().getAuthentication() == null) {
            UserDetails userDetails = this.userDetailsService.loadUserByUsername(userEmail);
            if (jwtService.isTokenValid(jwt, userDetails)) {
                UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(
                        userDetails,
                        null,
                        userDetails.getAuthorities()
                );
                authToken.setDetails(
                        new WebAuthenticationDetailsSource().buildDetails(request)
                );
                SecurityContextHolder.getContext().setAuthentication(authToken);
            }
        }
        filterChain.doFilter(request, response);
    }
}

doFilterInternal方法是过滤器的主要方法。它检查传入请求是否具有“Authorization”标头,其中JWT以“Bearer“开头,如果是,则使用JwtService从JWT提取用户电子邮件,并使用UserDetailsService加载用户详细信息。如果JWT有效且用户详细信息加载成功,在SecurityContextHolder中创建并设置一个认证对象。2然后通过filterChain.doFilter(request,response)调用继续过滤器链。

spring-security

1条答案

按热度按时间
1tuwyuhd

1tuwyuhd1#

.requestMatchers(new AntPathRequestMatcher("/h2/**")).permitAll()而不是:.requestMatchers("/h2/**").permitAll()

赞(0)分享  回复(0)举报  2023-03-02
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com