我目前正在开发一个Sping Boot 后端应用程序,它支持Spring Security的JWT身份验证。
我的问题是在实现所需的类以获得JWT身份验证之后开始的,但问题就从那里开始了。
下面是我添加的类,第一个代码片段是关于配置类的:
@Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(prePostEnabled = true)public class WebSecurityConfig {@Autowiredprivate UserDetailsServiceImpl userDetailsService;@Autowiredprivate AuthEntryPointJWT authEntryPointJWT;@Beanpublic AuthTokenFilter authentificationJwtTokenFilter(){return new AuthTokenFilter();}@Beanpublic DaoAuthenticationProvider authenticationProvider() {DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();authProvider.setUserDetailsService(userDetailsService);authProvider.setPasswordEncoder(passwordEncoder());return authProvider;}@Beanpublic AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {return authConfig.getAuthenticationManager();}@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}@Beanpublic SecurityFilterChain filterChain(HttpSecurity http) throws Exception {http.cors().and().csrf().disable().exceptionHandling().authenticationEntryPoint(authEntryPointJWT).and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers("/api/auth/**").permitAll().antMatchers("/test/**").permitAll().anyRequest().authenticated();http.authenticationProvider((authenticationProvider()));http.addFilterBefore(authentificationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);return http.build();}}
字符串
第二是过滤器的实现:
public class AuthTokenFilter extends OncePerRequestFilter {@Autowiredprivate JwtUtils jwtUtils;@Autowiredprivate UserDetailsServiceImpl userDetailsService;@Overrideprotected void doFilterInternal(HttpServletRequest request,HttpServletResponse response,FilterChain filterChain) throws ServletException, IOException {try{String jwt = parseJwt(request);if (jwt != null && jwtUtils.validateJwtToken(jwt)){String username = jwtUtils.getUserNameFromJwtToken(jwt);UserDetails userDetails = userDetailsService.loadUserByUsername(username);UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));SecurityContextHolder.getContext().setAuthentication(authenticationToken);}} catch (Exception e) {logger.error("Cannot set user authentification : {}", e);}}private String parseJwt(HttpServletRequest request) {String headerAuth = request.getHeader("Authorization");if (StringUtils.hasText(headerAuth) && headerAuth.startsWith("Bearer ")) {return headerAuth.substring(7, headerAuth.length());}return null;}}
型
下面是jwthelper类:
@Componentpublic class JwtUtils {private static final Logger logger = LoggerFactory.getLogger(JwtUtils.class);private final String jwtSecret="change_me";private int jwtExpirationMs=3600;public String generateJwtToken(Authentication authentication) {UserDetailsImpl userPrincipal = (UserDetailsImpl) authentication.getPrincipal();return Jwts.builder().setSubject((userPrincipal.getUsername())).setIssuedAt(new Date()).setExpiration(new Date((new Date()).getTime() + jwtExpirationMs)).signWith(SignatureAlgorithm.HS512, jwtSecret).compact();}public String getUserNameFromJwtToken(String token) {return Jwts.parser().setSigningKey(jwtSecret).parseClaimsJws(token).getBody().getSubject();}public boolean validateJwtToken(String authToken) {try {Jwts.parser().setSigningKey(jwtSecret).parseClaimsJws(authToken);return true;} catch (SignatureException e) {logger.error("Invalid JWT signature: {}", e.getMessage());} catch (MalformedJwtException e) {logger.error("Invalid JWT token: {}", e.getMessage());} catch (ExpiredJwtException e) {logger.error("JWT token is expired: {}", e.getMessage());} catch (UnsupportedJwtException e) {logger.error("JWT token is unsupported: {}", e.getMessage());} catch (IllegalArgumentException e) {logger.error("JWT claims string is empty: {}", e.getMessage());}return false;}}
型
下面是用于身份验证的控制器方法:
@PostMapping("/login")public JwtResponse authenticateUser(@Valid @RequestBody LoginRequest loginRequest) {Authentication authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getUsername()));SecurityContextHolder.getContext().setAuthentication(authentication);String jwt = jwtUtils.generateJwtToken(authentication);UserDetailsImpl userDetails = (UserDetailsImpl) authentication.getPrincipal();List<String> roles = userDetails.getAuthorities().stream().map(item -> item.getAuthority()).collect(Collectors.toList());System.out.println(jwt);JwtResponse returnStatement = new JwtResponse(jwt, userDetails.getUsername(), roles);return returnStatement;}
型
现在我很确定问题出在请求过滤过程中的某个地方,我只是看不出具体在哪里。请帮助:)
1条答案
按热度按时间mbzjlibv1#
在
AuthTokenFilter的实现中,在方法doFilterInternal中,您没有调用filterChain.doFilter(request, response);此方法必须始终在筛选器中调用,否则应用程序将无法继续其筛选器链并返回默认响应,在您的情况下为200。