我有下一个Spring Security配置:
@Configuration@EnableWebSecurity@EnableMethodSecurity@RequiredArgsConstructorpublic class SecurityConfig {private final JwtAuthenticationFilter jwtAuthFilter;private final JwtAuthenticationEntryPoint jwtFilterAuthenticationEntryPoint;private final AuthzAccessDeniedHandler authzAccessDeniedHandler;@Beanpublic SecurityFilterChain filterChain(HttpSecurity http) throws Exception {http.authorizeHttpRequests(authorize -> authorize.requestMatchers(USER_PATH + USER_ID_PATH_VAR).authenticated().requestMatchers(HttpMethod.POST, EVENT_PATH).hasRole("ORGANIZER").requestMatchers(HttpMethod.GET, TICKET_PATH).authenticated().requestMatchers(AUTH_PATH + "/logout/{userUuid}").authenticated().anyRequest().permitAll()).sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)).addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class).cors(Customizer.withDefaults()).exceptionHandling(handler -> handler.authenticationEntryPoint(jwtFilterAuthenticationEntryPoint).accessDeniedHandler(authzAccessDeniedHandler)).csrf(AbstractHttpConfigurer::disable).httpBasic(AbstractHttpConfigurer::disable).formLogin(AbstractHttpConfigurer::disable).logout(AbstractHttpConfigurer::disable);return http.build();}//other omited code...
字符串
以下是JWT filter代码:
@Component@RequiredArgsConstructorpublic class JwtAuthenticationFilter extends OncePerRequestFilter {private final String AUTHZ_HEADER_PREFIX = "Bearer ";private final JwtService jwtService;@Overrideprotected void doFilterInternal(@NonNull HttpServletRequest request,@NonNull HttpServletResponse response,@NonNull FilterChain filterChain) throws ServletException, IOException {String authzHeader = request.getHeader("Authorization");if (authzHeader == null || !authzHeader.startsWith(AUTHZ_HEADER_PREFIX)) {filterChain.doFilter(request, response);return;}AccessToken accessToken = jwtService.parseAccessToken(authzHeader.substring(AUTHZ_HEADER_PREFIX.length()));authenticateIfCurrentlyNot(accessToken, request);filterChain.doFilter(request, response);}private void authenticateIfCurrentlyNot(AccessToken accessToken, HttpServletRequest request) {if (SecurityContextHolder.getContext().getAuthentication() == null) {UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(accessToken.claims().sub(),null,List.of(convertRoleToSimpleGrantedAuthority(accessToken.claims().role())));token.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));SecurityContextHolder.getContext().setAuthentication(token);}}private SimpleGrantedAuthority convertRoleToSimpleGrantedAuthority(UserRole role) {return new SimpleGrantedAuthority("ROLE_" + role.name());}}
型
如果由于各种原因,给定的编码JWT无效,则方法parseToken()抛出自定义InvalidTokenException。我想处理此异常,正如您在上面的配置中看到的那样,我已经添加了名为jwtFilterAuthenticationEntryPoint的自定义AuthenticationEntryPoint。现在这里是InvalidTokenException和JwtFilterAuthenticationEntryPoint的代码:
public class InvalidTokenException extends AuthenticationException {public InvalidTokenException(String message) {super(message);}public static String errorCode() {return "invalid.token";}}@Component@Slf4jpublic class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {@Autowired@Qualifier("handlerExceptionResolver")private HandlerExceptionResolver resolver;@Overridepublic void commence(HttpServletRequest request,HttpServletResponse response,AuthenticationException authException) {log.error(authException.getMessage(), authException);resolver.resolveException(request, response, null, authException);}}
型
正如你所看到的ExceptionTranslationFilter捕捉我的异常,我已经从AuthenticationException扩展了它,所以在官方文档中写的(ExceptionTranslationFilter伪代码),它将能够处理它。但是当我尝试测试JwtAuthenticationEntryPoint的commence()方法的异常处理代码时,没有执行,因为没有提供日志:
所以我期待着任何帮助解决这个问题)
2条答案
按热度按时间5uzkadbs1#
在您的情况下,由于
SecurityFilterChain中的语句addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class),在调用ExceptionTranslationFilter之前抛出异常。因此,没有调用ExceptionTranslationFilter。为了解释为什么
JwtAuthenticationEntryPoint没有被触发,当AuthenticationException发生时,注册的AuthenticationEntryPoint的commence方法通常由ExceptionTranslationFilter调用。需要注意的是,过滤器可能有自己的
AuthenticationEntryPoint。例如,在httpBasic的情况下,身份验证由BasicAuthenticationFilter处理,任何问题都会导致调用BasicAuthenticationEntryPoint。我可以看到3个选项来处理
JwtAuthenticationFilter中的错误:选项一:
在
SecurityFilterChain中的AuthorizationFilter之前或ExceptionTranslationFilter之后执行JwtAuthenticationFilter。例如:
字符串
选项二:
包括在
JwtAuthenticationFilter中捕获AuthenticationException并调用JwtAuthenticationEntryPoint的commence方法。为了说明这一点,让我们看看Spring
BasicAuthenticationFilter如何管理AuthenticationException。BasicAuthenticationEntryPoint的commence方法如下所示:型
在检查
BasicAuthenticationEntryPoint的源代码时,很明显它试图处理AuthenticationException并随后调用authenticationEntryPoint.commence(request, response, ex)。应用类似的方法,可以对
JwtAuthenticationEntryPoint和JwtAuthenticationFilter进行以下调整:型
更新
SecurityFilterChain配置如下:型
需要注意的是,不需要显式注册
JwtAuthenticationEntryPoint。选项三:
另一种方法是直接在
JwtAuthenticationFilter中处理AuthenticationException并发送错误响应。这消除了对JwtAuthenticationEntryPoint的需要。下面是修改后的JwtAuthenticationFilter:型
更新
SecurityFilterChain配置:型
选择最适合您的要求并与您的身份验证流程无缝集成的选项。
6uxekuva2#
问题出在过滤器的顺序上。我的自定义过滤器在ExceptionTranslationFilter之前,所以当抛出异常时,ExceptionTranslationFilter无法到达。
这行代码修复了它:
字符串