Spring Security中未触发JWT身份验证筛选器

mfuanj7w  于 2023-08-02  发布在  Spring
关注(0)|答案(2)|浏览(127)

我已经为我的SpringRest后端创建了一个JWT身份验证过滤器。创建一个JWT似乎不是一个问题,但是在我目前的设置中,任何请求都是经过身份验证的,没有请求触发401,尽管客户端没有在头部传递任何令牌。
我的WebSecurityConfig:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true,
    jsr250Enabled = true, prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

private JwtAuthenticationEntryPoint unauthorizedHandler;

private CustomUserDetailsService customUserDetailsService;

@Autowired
public WebSecurityConfig(final JwtAuthenticationEntryPoint unauthorizedHandler,
                         final CustomUserDetailsService customUserDetailsService) {
    this.unauthorizedHandler = unauthorizedHandler;
    this.customUserDetailsService = customUserDetailsService;
}

@Bean
public JwtAuthenticationFilter jwtAuthenticationFilter() {
    return new JwtAuthenticationFilter();
}

@Bean
public JwtAuthenticationSuccessHandler jwtAuthenticationSuccessHandler() {
    return new JwtAuthenticationSuccessHandler();
}

@Override
public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
    authenticationManagerBuilder
            .userDetailsService(customUserDetailsService)
            .passwordEncoder(passwordEncoder());
}

@Bean(BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

/**
 * {@inheritDoc}
 */
@Override
protected void configure(final HttpSecurity http) throws Exception {

    http
            .csrf()
            .disable()
            .cors()
            .and()
            .exceptionHandling()
            .authenticationEntryPoint(unauthorizedHandler)
            .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .antMatcher("/api")
            .authorizeRequests()
            .anyRequest()
            .authenticated()

            .and()
            .addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}

/**
 * Sets security evaluation context.
 *
 * @return {@link SecurityEvaluationContextExtension}
 */
@Bean
public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
    return new SecurityEvaluationContextExtension();
}
}

字符串
我已经设置了这样的设置,所有的请求都需要授权。我的JwtAuthenticationEntryPoint与预期一致:一个通用的401错误被抛出。
我的JwtAuthenticationFilter:

@Component
public class JwtAuthenticationFilter extends OncePerRequestFilter {

@Autowired
private JwtTokenProvider tokenProvider;

@Autowired
private CustomUserDetailsService customUserDetailsService;

private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class);

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain
        filterChain) throws ServletException, IOException {

    logger.debug("Filtering request for JWT header verification");

    try {
        String jwt = getJwtFromRequest(request);

        if (StringUtils.hasText(jwt) && tokenProvider.validateToken(jwt)) {
            String username = tokenProvider.getUserIdFromJWT(jwt);

            UserDetails userDetails = customUserDetailsService.loadUserByUsername(username);
            UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken
                    (userDetails, null, userDetails.getAuthorities());
            authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));

            SecurityContextHolder.getContext().setAuthentication(authentication);
        }
    } catch (Exception ex) {
        logger.error("Could not set user authentication in security context", ex);
    }

    filterChain.doFilter(request, response);
}

private String getJwtFromRequest(HttpServletRequest request) {

    logger.debug("Attempting to get token from request header");

    String bearerToken = request.getHeader("Authorization");
    if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
        return bearerToken.substring(7, bearerToken.length());
    }
    return null;
}
 }

ncgqoxb0

ncgqoxb01#

找到问题了。
我不得不在web.xml文件中包含一个对过滤器的引用,这不是使用组件扫描器自动拾取的。
比如:

<filter>
    <filter-name>jwtFilter</filter-name>
    <filter-class>com.path.to.JwtFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>jwtFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

字符串

vc9ivgsu

vc9ivgsu2#

出现此问题的原因是在tomcatconf路径中的web.xml文件中添加了一些additional filters。删除该过滤器后,将进行身份验证。
如果找不到其他过滤器,最好使用新的tomcat或将web.xml文件替换为default值。

相关问题