Spring Security Filter 测试,身份验证在 POSTMAN 中不起作用

【问题标题】:Spring Security Filter test, authentification not working in POSTMANSpring Security Filter 测试,身份验证在 POSTMAN 中不起作用
【发布时间】:2020-06-06 06:22:20
【问题描述】:

我正在尝试检查尝试身份验证是否正常工作,但在邮递员中但我得到 401 未经授权。

我的安全配置:

 @Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    //http.formLogin();
    http.authorizeRequests().antMatchers("/login","/login/**","/register/**").permitAll();
    http.authorizeRequests().antMatchers(HttpMethod.POST,"/tasks/**").hasAuthority("ADMIN");
    http.authorizeRequests().anyRequest().authenticated();
    http.addFilter(new JWTAuthenticationFilter(authenticationManager()));
    http.addFilterBefore(new JWTAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class);


}

我的尝试验证:

@Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
            throws AuthenticationException {

        AppUser appUser = null;
        try {

            appUser = new ObjectMapper().readValue(request.getInputStream(), AppUser.class);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
        System.out.println("****************************");
        System.out.println(appUser.getUsername());
        return authenticationManager.authenticate(
                new UsernamePasswordAuthenticationToken(appUser.getUsername(), appUser.getPassword()));
    }

我的邮递员测试:

我的 JWTAuthenticationFilter:

package security;

import java.io.IOException;
import java.util.Date;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import com.example.springJWT.entities.AppUser;
import com.fasterxml.jackson.databind.ObjectMapper;

import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;



public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter{


    private AuthenticationManager authenticationManager;    


    public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
        super();
        //      super.setFilterProcessesUrl("/login");

        this.authenticationManager = authenticationManager;
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
            throws AuthenticationException {

        AppUser appUser = null;
        try {

            appUser = new ObjectMapper().readValue(request.getInputStream(), AppUser.class);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
        System.out.println("****************************");
        System.out.println(appUser.getUsername());
        return authenticationManager.authenticate(
                new UsernamePasswordAuthenticationToken(appUser.getUsername(), appUser.getPassword()));
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
            Authentication authResult) throws IOException, ServletException {
        User springUser=(User) authResult.getPrincipal();
        String jwt=Jwts.builder()
                .setSubject(springUser.getUsername())
                .setExpiration(new Date(System.currentTimeMillis()+SecurityConstants.EXPIRATION_TIME))
                .signWith(SignatureAlgorithm.HS256, SecurityConstants.SECRET)
                .claim("roles", springUser.getAuthorities())
                .compact();
        response.addHeader(SecurityConstants.HEADER_STRING, SecurityConstants.TOKEN_PREFIX+jwt);
        super.successfulAuthentication(request, response, chain, authResult);
    }
}

【问题讨论】:

  • 以用户名和密码作为标题中的键和值发布
  • 我试过了,还是一样的错误
  • 你尝试调试了吗?

标签: authentication spring-security jwt postman


【解决方案1】:

attemptAuthentication 方法中的 JWTAuthenticationFilter 类中,您正在向身份验证管理器提供 UsernamePasswordAuthenticationToken

它有一个 String 实例作为主体,并且在 successfulAuthentication 方法中,您尝试将其强制转换为用户

User springUser=(User) authResult.getPrincipal();

如果我尝试会出错,但这取决于您实际使用的 AuthenticationProvider

【讨论】:

  • 您可以在属性中添加 logging.level.org.springframework.security= debug 并在使用 postman 调用 login 时添加日志输出吗?
  • 谢谢,但是问题出在包本身,spring看不到,我只是把它从security改成了com.example.springJWT.security,不知道怎么没意识到早点..
猜你喜欢
  • 2019-07-18
  • 2017-02-13
  • 1970-01-01
  • 2015-05-30
  • 2016-09-03
  • 2011-11-14
  • 2021-04-06
  • 2015-08-27
  • 2014-01-28
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode