我试图弄清楚如何通过https://spring.io/guides/topicals/spring-security-architecture/#_working_with_threads和How to allow a User only access their own data in Spring Boot / Spring Security?实现端点用户安全性。然而,当以这种方式使用@AuthenticationPrincipal、Authentication和Principal时。我错过了什么?我确信我设置了正确的secrets/Jwt,因为身份验证本身可以工作,我只是不能使用注解来提取我想要的信息
SecurityConfig.class
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class SecurityConfig {
private static final String[] AUTH_WHITELIST = {
// -- Swagger UI v2
"/v2/api-docs",
"/swagger-resources",
"/swagger-resources/**",
"/configuration/ui",
"/configuration/security",
"/swagger-ui.html",
"/webjars/**",
// -- Swagger UI v3 (OpenAPI)
"/v3/api-docs/**",
"/swagger-ui/**"
// other public endpoints of your API may be appended to this array
};
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeRequests()
// Our public endpoints
.antMatchers("/**/openapi.json").permitAll()
.antMatchers("/api/ims/auth/**").permitAll()
.antMatchers(AUTH_WHITELIST).permitAll()
.anyRequest().authenticated()
.and()
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
return http.build();
}
// Used by JwtAuthenticationProvider to decode and validate JWT tokens
@Bean
public JwtDecoder jwtDecoder() {
SecretKey secretKey = new SecretKeySpec("INSERTSECRETHERE".getBytes(), "HMACSHA256");
return NimbusJwtDecoder.withSecretKey(secretKey).macAlgorithm(MacAlgorithm.HS256).build();
}
}字符串
ConnectionController.class
@Path("connection/v1")
@SecurityScheme(name = SWAGGER_AUTH_NAME, type = HTTP, scheme = SWAGGER_AUTH_SCHEME, in = HEADER)
@Tag(name = "Connection Controller", description = "Manage connection resources")
@RestController
public class ConnectionController {
private final ConnectionService connectionService;
@Inject
public ConnectionController(final ConnectionService connectionService)
{
this.connectionService = connectionService;
}
@GET
@Path("/user/{userId}")
@Produces(MediaType.APPLICATION_JSON)
@Operation(description = "Retrieve connections by userId")
//@PreAuthorize("authentication.principal.claims.userId.equals(#userId)")
public List<ConnectionDto> getConnectionsByUserId(@PathParam("userId") final String userId, @Parameter(hidden = true) @AuthenticationPrincipal Jwt authentication)
{
SecurityContext context = SecurityContextHolder.getContext();
Authentication authentication1 = context.getAuthentication();
Object jwt = context.getAuthentication().getPrincipal();
Assert.hasText(userId, "User id must be provided");
return this.connectionService.getConnectionsByUserId(userId);
}
}型
变量context、authentication和jwt都返回我所期望的,最后一个是Jwt对象,这正是我希望@AuthenticationPrincipal返回的。但是,@AuthenticationPrincipal、Authentication和Principal都从该方法返回null。
1条答案
按热度按时间yb3bgrhw1#
@AuthenticationPrincipal是一个注解,应该可以用于几乎任何Spring Security身份验证模式。使用this tutorial,我意识到问题在于我不是在@RequestMapping注解中,而是在@GET和@PATH注解中,因为我的原始项目是在一个非常旧的Spring版本中。一旦我将Controller调整为下面的代码,@AuthenticationPrincipal就可以正确地获得JWT。字符串