有人可以告诉我为什么登录系统后,在 Postman
响应中我得到 401 - unauthorization
而不是我的 token
?
CorsConfig.java
@Configuration
public class CorsConfig {
@Bean
public CorsFilter corsFilter(){
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
// config.addAllowedOrigin("*");
// config.addAllowedHeader("*");
// config.addAllowedMethod("*");
source.registerCorsConfiguration("/api/**", config);
return new CorsFilter(source);
}
}
SecurityConfig.java
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Bean(BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception{
return super.authenticationManagerBean();
}
@Override
public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception{
authenticationManagerBuilder
.userDetailsService(securityUserDetailsService)
.passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception{
http
.cors()
.and()
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/",
"/favicon.ico",
"/**/*.png",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.html",
"/**/*.css",
"/**/*.js")
.permitAll()
// .antMatchers("/api/auth/**", "/api/user/register/**", "/api/user/namecheck/**", "/api/password/**")
// .permitAll()
// .antMatchers("/api/user/checkUsernameAvailability", "/api/user/checkEmailAvailability")
// .permitAll()
//.antMatchers(HttpMethod.GET, "/api/polls/**", "/api/users/**")
// .permitAll()
.anyRequest()
.authenticated();
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
http.headers().cacheControl();
}
}
AuthController.java
@RestController
@RequestMapping("/api/auth")
public class AuthController {
@Autowired
AuthenticationManager authenticationManager;
@Autowired
JwtTokenProvider tokenProvider;
@PostMapping
public ResponseEntity<?> authenticateUser(@Valid @RequestBody AuthRequest request){
Object principal;
Object credentials;
Authentication authentication = authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(
request.getEmail(),
request.getPassword()
));
SecurityContextHolder.getContext().setAuthentication(authentication);
String jwt = tokenProvider.generateToken(authentication);
return ResponseEntity.ok(new JwtAuthenticationResponse(jwt));
}
}
AuthenticatedUser.java,我的模型
@Data
@Accessors(chain = true)
@EqualsAndHashCode
public class AuthenticatedUser implements UserDetails {
private UUID id;
private String firstName;
private String lastName;
private String token;
@JsonIgnore
private String email;
@JsonIgnore
private String password;
public AuthenticatedUser(){}
public static AuthenticatedUser mapFromEntity(UserEntity userEntity){
List<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority(userEntity.getRole().name()));
return new AuthenticatedUser()
.setId(userEntity.getId())
.setEmail(userEntity.getEmail())
.setPassword(userEntity.getPassword())
.setFirstName(userEntity.getFirstName())
.setLastName(userEntity.getLastName())
.setAuthorities(authorities);
}
private Collection<? extends GrantedAuthority> authorities;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return authorities;
}
TokenProvider.java
@Component
public class JwtTokenProvider {
@Value("${jwt.salt}")
private String jwtSalt;
@Value("${jwt.expiry}")
private int jwtExpiry;
public String generateToken(Authentication authentication) {
AuthenticatedUser userEntity = (AuthenticatedUser) authentication.getPrincipal();
Date now = new Date();
Date expiryDate = new Date(now.getTime() + jwtExpiry);
return Jwts.builder()
.setSubject(userEntity.getId().toString())
.setIssuedAt(new Date())
.setExpiration(expiryDate)
.signWith(SignatureAlgorithm.HS512, jwtSalt)
.compact();
}
public UUID getUserIdFromJWT(String token) {
Claims claims = Jwts.parser()
.setSigningKey(jwtSalt)
.parseClaimsJws(token)
.getBody();
return UUID.fromString(claims.getSubject());
}
public boolean validateToken(String authToken) {
///
JwtauthenticationFilter.java
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Autowired
private JwtTokenProvider tokenProvider;
@Autowired
private SecurityUserDetailsService securityUserDetailsService;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
try {
String jwt = getJwtFromRequest(request);
if (StringUtils.hasText(jwt) && tokenProvider.validateToken(jwt)) {
UUID userId = tokenProvider.getUserIdFromJWT(jwt);
UserDetails userDetails = securityUserDetailsService.loadUserById(userId);
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
} catch (Exception ex) {
logger.error("Could not set user authentication in security context", ex);
}
filterChain.doFilter(request, response);
}
private String getJwtFromRequest(HttpServletRequest request) {
String bearerToken = request.getHeader("Authorization");
if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
return bearerToken.substring(7);
}
return null;
}
最佳答案
您应该/api/auth 路由到 SecurityConfig
@Override
protected void configure(HttpSecurity http) throws Exception{
http
.cors()
.and()
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/",
"/api/auth",
"/favicon.ico",
"/**/*.png",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.html",
"/**/*.css",
"/**/*.js")
.permitAll()
.authenticated();
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
http.headers().cacheControl();
}
关于java - Spring Boot中取消授权,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61539761/