我正在使用 Spring 4 和 java 配置(没有任何 xml 文件)构建 REST 应用程序。
这里是一些实际代码:
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected String[] getServletMappings() {
return new String[]{"/"};
}
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[] {ApplicationConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return null;
}
}
此外,我使用 token 身份验证来保护 WebService,因此我有一个过滤器来处理 token 并通过 token 正确获取用户并将用户对象放入 SecuriryContext 中。以下是过滤器的一些代码:
@Component
public class AuthenticationTokenFilter extends UsernamePasswordAuthenticationFilter {
private String tokenHeader = "X-Auth-Token";
@Autowired
private TokenUtils tokenUtils;
@Autowired
private UserDetailsService userDetailsService;
@Override
@Autowired
public void setAuthenticationManager(AuthenticationManager authenticationManager) {
super.setAuthenticationManager(authenticationManager);
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String authToken = httpRequest.getHeader(this.tokenHeader);
String username = this.tokenUtils.getUsernameFromToken(authToken);
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
if (this.tokenUtils.validateToken(authToken, userDetails)) {
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpRequest));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
chain.doFilter(request, response);
}
}
我正在使用 Spring Security,这是我的 WebSecurityConfigurerAdapter
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private EntryPointUnauthorizedHandler unauthorizedHandler;
@Autowired
private AuthenticationTokenFilter authTokenFilter;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(this.unauthorizedHandler)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/auth/**").permitAll()
.anyRequest().authenticated();
httpSecurity
.addFilterBefore(authTokenFilter, UsernamePasswordAuthenticationFilter.class);
}
}
我的问题是过滤器的 doFilter() 不运行。有什么帮助吗?
PS:使用 SpringBoot 不是一个选择。我想在不使用 Spring Boot 自动配置的情况下做到这一点。
最佳答案
您不是将过滤器添加为组件,而是像一个简单的对象一样添加过滤器,该对象是通过 ServletContext 中某处的反射创建的,而对 Spring 一无所知。 如果您使用 Spring Security,您可以将过滤器添加到安全配置中的 SpringSecurityFilterChain
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private YourFilter yourFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(yourFilter, UsernamePasswordAuthenticationFilter.class);
}
}
关于java - Spring Security Rest Token Authentication - 过滤器不运行,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/39509191/