我正在使用Spring Security开发一个Sping Boot 应用程序来处理身份验证和授权,使用JWT进行令牌生成和无状态会话管理。尽管我的配置,我总是收到HTTP 403 Forbidden错误,我的所有端点,包括那些我专门配置为无需身份验证即可访问的端点。我试过不同的方法,但似乎都不起作用。
下面是我的设置中涉及的主要代码:
SecurityConfig:
package com.khanfar.project2.Security.config;
import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfig {
private final JwtAuthFilter JwtAuthFilter ;
private final AuthenticationProvider authenticationProvider;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors().and()
.authorizeHttpRequests()
.requestMatchers("/api/v1/**").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilterBefore(JwtAuthFilter, UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(authenticationProvider);
return http.build();
}
}字符串
JwtAuthFilter:
package com.khanfar.project2.Security.config;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.RequiredArgsConstructor;
import org.springframework.lang.NonNull;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import java.io.IOException;
import static org.springframework.http.HttpHeaders.AUTHORIZATION;
@Component
@RequiredArgsConstructor
public class JwtAuthFilter extends OncePerRequestFilter {
private final JwtService jwtService ;
private final UserDetailsService userDetailsService ;
@Override
protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response, @NonNull FilterChain filterChain) throws ServletException, IOException {
final String userEmail ;
final String authHeader = request.getHeader(AUTHORIZATION) ;
final String Token ;
if (authHeader==null || !authHeader.startsWith("Bearer ")){
filterChain.doFilter(request , response);
return;
}
Token = authHeader.substring(7);
userEmail = jwtService.extractUsername (Token) ;
if (userEmail != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(userEmail);
if (jwtService.isTokenValid(Token , userDetails)) {
UsernamePasswordAuthenticationToken authToken =
new UsernamePasswordAuthenticationToken(userDetails , null , userDetails.getAuthorities() ) ;
authToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authToken);
}
}
filterChain.doFilter(request , response);
}
}型
JwtService:
package com.khanfar.project2.Security.config;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.security.Keys;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Service;
import java.security.Key;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Function;
@Service
public class JwtService {
private static final String SECRET_KEY = "TAREQ KHANFAR";
public String extractUsername(String token) {
return extractClaim(token , Claims::getSubject);
}
private Claims extractAllClaims(String token) {
return Jwts.parserBuilder()
.setSigningKey(getSignInKey())
.build()
.parseClaimsJwt(token)
.getBody();
}
public String generateToken(UserDetails userDetails) {
return generateToken(new HashMap<>() , userDetails) ;
}
public String generateToken (Map<String , Object> map , UserDetails userDetails ) {
return Jwts.builder().setClaims(map)
.setSubject(userDetails.getUsername() )
.setIssuedAt(new Date(System.currentTimeMillis()))
.setExpiration(new Date(System.currentTimeMillis()+1000 * 60 * 24 ))
.signWith(getSignInKey() , SignatureAlgorithm.HS256)
.compact();
}
public boolean isTokenValid(String token , UserDetails userDetails ) {
final String username = extractUsername(token) ;
return username.equals(userDetails.getUsername()) && !isTokenExpired(token) ;
}
private boolean isTokenExpired(String token) {
return extractExpiration(token).before(new Date());
}
private Date extractExpiration(String token) {
return extractClaim(token , Claims::getExpiration);
}
public <T> T extractClaim(String token , Function<Claims , T > claimsTFunction) {
final Claims claims = extractAllClaims(token) ;
return claimsTFunction.apply(claims) ;
}
private Key getSignInKey() {
byte[] keyBytes = Decoders.BASE64.decode(SECRET_KEY);
return Keys.hmacShaKeyFor(keyBytes);
}
}型
应用配置:
package com.khanfar.project2.Security.config;
import com.khanfar.project2.Exception.NotFoundException;
import com.khanfar.project2.Security.user.UserRepository;
import lombok.RequiredArgsConstructor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@RequiredArgsConstructor
@Configuration
public class ApplicationConfig {
private final UserRepository userRepository ;
@Bean
public UserDetailsService userDetailsService() {
return username -> userRepository.findByEmail(username)
.orElseThrow(()->new UsernameNotFoundException("User not found ."));
}
@Bean
public AuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService());
authenticationProvider.setPasswordEncoder(passwordEncoder());
return authenticationProvider;
}
@Bean
public AuthenticationManager authenticationManager (AuthenticationConfiguration configuration) throws Exception {
return configuration.getAuthenticationManager();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}型
身份验证服务:
package com.khanfar.project2.Security.auth;
import com.khanfar.project2.Entity.Role;
import com.khanfar.project2.Security.config.JwtService;
import com.khanfar.project2.Security.user.User;
import com.khanfar.project2.Security.user.UserRepository;
import lombok.RequiredArgsConstructor;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;
@Service
@RequiredArgsConstructor
public class AuthenticationService {
private final UserRepository userRepository ;
private final PasswordEncoder passwordEncoder ;
private final JwtService jwtService ;
private final AuthenticationManager authenticationManager ;
public AuthenticationResponse register(RegisterRequest registerRequest) {
var user = User.builder()
.name(registerRequest.getName())
.email(registerRequest.getEmail())
.password(passwordEncoder.encode(registerRequest.getPassword()))
.role(Role.USER)
.build();
userRepository.save(user);
var token = jwtService.generateToken(user);
return new AuthenticationResponse().builder().
Token(token)
.build();
}
public AuthenticationResponse authenticateRequest(AuthenticationRequest request) {
authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(request.getEmail() ,request.getPassword())
);
var user = userRepository.findByEmail(request.getEmail()).orElseThrow();
var token = jwtService.generateToken(user);
return new AuthenticationResponse().builder().
Token(token)
.build();
}
}型
AuthenticationController:
package com.khanfar.project2.Security.auth;
import lombok.RequiredArgsConstructor;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/api/v1/auth")
@RequiredArgsConstructor
public class AuthenticationController {
private final AuthenticationService authenticationService;
@PostMapping("/register")
public ResponseEntity<AuthenticationResponse> register(@RequestBody RegisterRequest registerRequest) {
System.out.println(registerRequest.getEmail());
return ResponseEntity.ok(authenticationService.register(registerRequest));
}
@PostMapping("/authenticate")
public ResponseEntity<AuthenticationResponse> authenticateRequest(@RequestBody AuthenticationRequest Request) {
return ResponseEntity.ok(authenticationService.authenticateRequest(Request));
}
}型
在SecurityConfig中,我禁用了CSRF,并将会话管理策略设置为SessionCreationPolicy. STATELESS。我还定义了以“/API/v1/auth/**”开头的路由,无需身份验证即可访问。
当我向端点发出请求时,我会收到HTTP 403 Forbidden错误。我的调试日志显示以下内容:
2023-07-01T22:15:52.695+03:00 DEBUG 26652 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Securing GET /api/v1/demo
2023-07-01T22:15:52.695+03:00 DEBUG 26652 --- [nio-8081-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2023-07-01T22:15:52.695+03:00 DEBUG 26652 --- [nio-8081-exec-1] o.s.s.w.session.SessionManagementFilter : Request requested invalid session id FFD79F7D00BB82527193D66022479C54
2023-07-01T22:15:52.697+03:00 DEBUG 26652 --- [nio-8081-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint : Pre-authenticated entry point called. Rejecting access
2023-07-01T22:15:52.698+03:00 DEBUG 26652 --- [nio-8081-exec-1] o.s.security.web.FilterChainProxy : Securing GET /error
2023-07-01T22:15:52.701+03:00 DEBUG 26652 --- [nio-8081-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2023-07-01T22:15:52.702+03:00 DEBUG 26652 --- [nio-8081-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint : Pre-authenticated entry point called. Rejecting access型
这表明,尽管我的应用程序设置为无状态,但它仍然在尝试使用会话。
谁能帮我确定这里可能出了什么问题,以及如何在我的应用程序中正确配置无状态的、基于JWT的身份验证?
1条答案
按热度按时间6tqwzwtp1#
我通过清除浏览器中的所有cookie并重新启动应用程序来解决这个问题。似乎是旧的会话cookie干扰了请求。对于任何面临类似问题的人,请记住在应用程序中从有状态会话管理切换到无状态会话管理时清除浏览器Cookie。在测试API时,可以考虑使用Postman或curl等工具来更好地控制请求头。