Sping Boot -在WebSession中找不到SecurityContext

4uqofj5v 于 2023-10-20 发布在 Spring

关注(0)|答案(1)|浏览(209)

目前我有一个Spring云网关服务和一些其他服务。网关拦截每个请求，检查是否存在授权，并根据允许/拒绝访问某个资源。
我一直得到401未经授权，因此在启用调试消息时，我发现以下内容

17-09-2023 13:41:43.189 [parallel-2] DEBUG o.s.w.s.s.DefaultWebSessionManager .org.springframework.web.server.session.DefaultWebSessionManager lambda$createWebSession$3 - Created new WebSession.
17-09-2023 13:41:43.190 [parallel-2] DEBUG o.s.s.w.s.c.WebSessionServerSecurityContextRepository .org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository lambda$load$1 - No SecurityContext found in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@1c19c273'
17-09-2023 13:41:43.196 [parallel-2] DEBUG o.s.s.w.s.u.m.OrServerWebExchangeMatcher .org.springframework.security.web.server.util.matcher.OrServerWebExchangeMatcher lambda$matches$0 - Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=POST}
17-09-2023 13:41:43.197 [parallel-2] DEBUG o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher .org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher lambda$matches$1 - Request 'POST /auth/authenticate-contractor' doesn't match 'POST /logout'
17-09-2023 13:41:43.198 [parallel-2] DEBUG o.s.s.w.s.u.m.OrServerWebExchangeMatcher .org.springframework.security.web.server.util.matcher.OrServerWebExchangeMatcher lambda$matches$2 - No matches found
17-09-2023 13:41:43.202 [parallel-2] DEBUG o.s.s.w.s.a.DelegatingReactiveAuthorizationManager .org.springframework.security.web.server.authorization.DelegatingReactiveAuthorizationManager lambda$check$1 - Checking authorization on '/auth' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizationManager@2b6b1534
17-09-2023 13:41:43.205 [parallel-2] DEBUG o.s.s.w.s.c.WebSessionServerSecurityContextRepository .org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository lambda$load$1 - No SecurityContext found in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@1c19c273'
17-09-2023 13:41:43.207 [parallel-2] DEBUG o.s.s.w.s.a.AuthorizationWebFilter .org.springframework.security.web.server.authorization.AuthorizationWebFilter lambda$filter$3 - Authorization failed: Access Denied
17-09-2023 13:41:43.213 [parallel-2] DEBUG o.s.s.w.s.c.WebSessionServerSecurityContextRepository .org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository lambda$load$1 - No SecurityContext found in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@1c19c273'
17-09-2023 13:41:43.230 [parallel-2] DEBUG o.s.c.s.i.web.TraceWebFilter .org.springframework.cloud.sleuth.instrument.web.TraceWebFilter$MonoWebFilterTrace$WebFilterTraceSubscriber terminateSpan - Handled send of RealSpan(3c5c588d8857df88/3c5c588d8857df88)
17-09-2023 13:41:43.235 [parallel-2] DEBUG o.s.w.s.a.HttpWebHandlerAdapter .org.springframework.core.log.LogFormatUtils traceDebug - [787638e7-1] Completed 401 UNAUTHORIZED

我尝试使用SecurityContextHolder或ReactiveSecurityContextHolder设置身份验证对象，但到目前为止似乎都不起作用。
下面是设置： Spring Boot ：v2.7.14 pom.xml

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
</dependencies>

下面是我实现的自定义WebFilter

@Component
class AuthFilter(
    private val firebaseAuth: FirebaseAuth
): WebFilter {

    override fun filter(exchange: ServerWebExchange, chain: WebFilterChain): Mono<Void> {
        
            val authentication = UsernamePasswordAuthenticationToken(
                "ROLE_USER",
                null,
                listOf(SimpleGrantedAuthority("ROLE_USER"))
            )

            return ReactiveSecurityContextHolder.getContext()
                .map { it.authentication = authentication }
                .then(chain.filter(exchange))
    }
}

这是安全配置

@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
class SecurityConfig(
    private val firebaseAuth: FirebaseAuth
) {

    @Bean
    fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {

        return http
            .csrf().disable()
            .formLogin().disable()
            .httpBasic().disable()
            .authorizeExchange()
            .anyExchange().authenticated()
            .and()
            .addFilterAt(AuthFilter(firebaseAuth), SecurityWebFiltersOrder.AUTHENTICATION)
            .build()
    }
}

还缺少什么来修复未经授权的错误？

spring-security

来源：https://stackoverflow.com/questions/77121646/spring-boot-no-securitycontext-found-in-websession

1条答案

按热度按时间

mv1qrgav1#

我认为你的问题与：Disable WebSession creation when using spring-security with spring-webflux
你应该加上
.and().securityContextRepository(NoOpServerSecurityContextRepository.getInstance())
在安全配置筛选器中
在提供的链接中对问题的所有描述。

赞(0）回复(0）举报 2023-10-20

我来回答

Sping Boot -在WebSession中找不到SecurityContext

1条答案

相关问题

热门标签

最新问答