我正在使用 Spring Boot 框架 实现REST API。我有一项公共(public)服务 /auth/login
@PostMapping("/auth/login")
fun login(@RequestBody loginRequest: LoginRequest): String {
val token = tokenProvider.generateToken(loginRequest.username, loginRequest.password)
if (token === null) {
throw NotLoggedInError()
}
return token
}
它可用于检索安全区域的 token /api/schemas
:
@GetMapping
fun getSchemas() : ArrayList<Schema> = _schemas
我已在自定义 WebSecurityConfigurerAdapter
对象的 configure(http: HttpSecurity?)
方法中配置了安全策略:
override fun configure(http: HttpSecurity?) {
http!!
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS)
.and()
.authenticationProvider(tokenAuth)
.addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter::class.java)
.authorizeRequests()
.requestMatchers(PROTECTED_URLS).authenticated()
.and()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.logout().disable()
}
似乎过滤器的 attemptAuthentication
方法总是被调用,即使在访问公共(public)区域的情况下也是如此。
@FieldDefaults(level = AccessLevel.PRIVATE, makeFinal = true)
class TokenAuthenticationFilter(requiresAuth: RequestMatcher) : AbstractAuthenticationProcessingFilter(requiresAuth) {
@Autowired
lateinit var tokenAuthenticationProvider: TokenAuthenticationProvider
private val BEARER = "Bearer"
override fun attemptAuthentication(request: HttpServletRequest?, response: HttpServletResponse?): Authentication {
val param: String? = request!!.getHeader("Authorization")
val token = removeStart(param!!, BEARER).trim()
val user = tokenAuthenticationProvider.getUserFromToken(token)
val auth = UsernamePasswordAuthenticationToken(user!!.username, user.password)
return authenticationManager.authenticate(auth)
}
override fun successfulAuthentication(request: HttpServletRequest?, response: HttpServletResponse?, chain: FilterChain?, authResult: Authentication?) {
super.successfulAuthentication(request, response, chain, authResult)
chain!!.doFilter(request, response)
}
override fun unsuccessfulAuthentication(request: HttpServletRequest?, response: HttpServletResponse?, failed: AuthenticationException?) {
throw NotLoggedInError()
}
}
有什么想法吗?预先感谢您的帮助。
问候。
最佳答案
从技术上讲,Spring Security总是对用户进行身份验证。在不需要身份验证的情况下(例如公共(public)端点),用户仍然被身份验证为匿名。
在您的 WebSecurityConfigurerAdapter#configure(HttpSecurity)
中,您显式地将 restAuthenticationFilter()
放在 AnonymousAuthenticationFilter::class.java
之前。这意味着 Spring Security 要将用户身份验证为匿名,它首先需要调用您的过滤器,然后才能调用 AnonymousAuthenticationFilter
。
关于java - 为什么Spring过滤器总是被调用?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59337938/