java - 为什么Spring过滤器总是被调用?

标签 java spring spring-boot kotlin

我正在使用 Spring Boot 框架 实现REST API。我有一项公共(public)服务 /auth/login

@PostMapping("/auth/login")
fun login(@RequestBody loginRequest: LoginRequest): String {
    val token = tokenProvider.generateToken(loginRequest.username, loginRequest.password)
    if (token === null) {
        throw NotLoggedInError()
    }   
    return token
} 

它可用于检索安全区域的 token /api/schemas:

@GetMapping
fun getSchemas() : ArrayList<Schema> = _schemas

我已在自定义 WebSecurityConfigurerAdapter 对象的 configure(http: HttpSecurity?) 方法中配置了安全策略:

override fun configure(http: HttpSecurity?) {
    http!!
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
            .exceptionHandling()
                .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS)
                .and()
            .authenticationProvider(tokenAuth)
                .addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter::class.java)
                .authorizeRequests()
                .requestMatchers(PROTECTED_URLS).authenticated()
                .and()
            .csrf().disable()
            .formLogin().disable()
            .httpBasic().disable()
            .logout().disable()
} 

似乎过滤器的 attemptAuthentication 方法总是被调用,即使在访问公共(public)区域的情况下也是如此。

@FieldDefaults(level = AccessLevel.PRIVATE, makeFinal = true)
class TokenAuthenticationFilter(requiresAuth: RequestMatcher) : AbstractAuthenticationProcessingFilter(requiresAuth) {

    @Autowired
    lateinit var tokenAuthenticationProvider: TokenAuthenticationProvider

    private val BEARER = "Bearer"

    override fun attemptAuthentication(request: HttpServletRequest?, response: HttpServletResponse?): Authentication {
        val param: String? = request!!.getHeader("Authorization")
        val token = removeStart(param!!, BEARER).trim()
        val user = tokenAuthenticationProvider.getUserFromToken(token)
        val auth = UsernamePasswordAuthenticationToken(user!!.username, user.password)
        return authenticationManager.authenticate(auth)
    }

    override fun successfulAuthentication(request: HttpServletRequest?, response: HttpServletResponse?, chain: FilterChain?, authResult: Authentication?) {
        super.successfulAuthentication(request, response, chain, authResult)
        chain!!.doFilter(request, response)
    }

    override fun unsuccessfulAuthentication(request: HttpServletRequest?, response: HttpServletResponse?, failed: AuthenticationException?) {
        throw NotLoggedInError()
    }
}

有什么想法吗?预先感谢您的帮助。

问候。

最佳答案

从技术上讲,Spring Security总是对用户进行身份验证。在不需要身份验证的情况下(例如公共(public)端点),用户仍然被身份验证为匿名

在您的 WebSecurityConfigurerAdapter#configure(HttpSecurity) 中,您显式地将 restAuthenticationFilter() 放在 AnonymousAuthenticationFilter::class.java 之前。这意味着 Spring Security 要将用户身份验证为匿名,它首先需要调用您的过滤器,然后才能调用 AnonymousAuthenticationFilter

关于java - 为什么Spring过滤器总是被调用?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59337938/

相关文章:

hibernate - 如何禁用 spring boot HibernateJpaAutoConfiguration

spring - SimpleMessageListenerContainer Amazon SQS 轮询间隔

java - 通过 http Retrofit2 请求发送 WAV 文件 - Android Studio

java - 流总是空的——除非我给它时间

java - 希望根据 Spring Profile 编码不同的 POJO 字段集

java - Spring boot - Snowflake JDBC - 应用程序加载时自动更改 session

java - 如何在apache ignite缓存配置xml文件中提供多个静态IP

java - 不支持获取内容类型 'application/json'

java - 在 HASHMAP 中计算两次键的哈希码

spring - Thymeleaf:来自 messageKey 的默认消息