我正在使用 Spring Security 和 JWT 来验证其余 api。登录时,会生成 JWT token 并将其共享到移动客户端。但是,后续请求中的 token 未经过验证。安全配置有问题吗?
Spring 安全版本 - 5.1.6.RELEASE
//安全配置
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
@Autowired
private JwtTokenAuthenticationFilter jwtTokenAuthenticationFilter;
@Autowired
private CustomUserDetailsService customUserDetailsService;
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.
httpBasic().disable().
csrf().disable().
exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).
and().
addFilterBefore(jwtTokenAuthenticationFilter, UsernamePasswordAuthenticationFilter.class).
sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).
and().
authorizeRequests().antMatchers("/user/login").permitAll().
antMatchers("/user/test").authenticated().
anyRequest().authenticated();
}
}
//JWT token 身份验证过滤器 - 永远不会调用
@Component
public class JwtTokenAuthenticationFilter extends GenericFilterBean {
@Autowired
private JwtTokenProvider jwtTokenProvider;
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException {
String token = jwtTokenProvider.resolveToken((HttpServletRequest) req);
if (null != token && jwtTokenProvider.validateToken(token)) {
Authentication auth = jwtTokenProvider.getAuthentication(token);
if (null != auth) {
SecurityContextHolder.getContext().setAuthentication(auth);
}
}
filterChain.doFilter(req, res);
}
}
我期望登录后的所有请求都将根据 JWT token 进行身份验证。 我尝试将要验证的服务名称设置如下:
antMatchers("/user/test").authenticated().
此外,还添加了任何经过身份验证的请求,但它们都不起作用。
anyRequest().authenticated();
最佳答案
尝试更换
addFilterBefore(jwtTokenAuthenticationFilter, UsernamePasswordAuthenticationFilter.class).
由
addFilterBefore(jwtTokenAuthenticationFilter), BasicAuthenticationFilter.class);
如果没有运行,请更改 jwtTokenAuthenticationFilter 类以避免成为 Spring bean 并像这样使用:
addFilterBefore(new JwtTokenAuthenticationFilter(jwtTokenProvider)), BasicAuthenticationFilter.class);
并在Security Class上添加以下代码:
@Autowired
private JwtTokenProvider jwtTokenProvider;
关于spring-mvc - Spring Security 与 JWT : JWT filter which validates the token is not invoked,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57733085/