如何使用不同的 AuthenticationProvider 过滤 SPRING SECURITY

【问题标题】:How to use different AuthenticationProvider for filter SPRING SECURITY如何使用不同的 AuthenticationProvider 过滤 SPRING SECURITY
【发布时间】:2018-09-16 14:38:24
【问题描述】:

在我的安全层中,我使用了两个过滤器:AjaxAuthenticationFilter 和 JWTAuthenticationFilter(它们都扩展了 AbstractAuthenticationProcessingFilter)。对于第一个我只想使用 oAjaxAuhtenticationProvider,而对于第二个我只想使用 JwtAuthenticationProvider。

这是我的问题的主要原因,我无法将它们分开(authenticationProviders)。

我试过这段代码,但不起作用:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    public static final String AUTHENTICATION_HEADER_NAME = "Authorization";
    public static final String AUTHENTICATION_URL = "/api/auth/login";
    public static final String REFRESH_TOKEN_URL = "/api/auth/token";
    public static final String API_ROOT_URL = "/api/**";


    @Autowired private RestAuthenticationEntryPoint authenticationEntryPoint;
    @Autowired private AjaxAwareAuthenticationSuccessHandler successHandler;
    @Autowired private AjaxAwareAuthenticationFailureHandler failureHandler;
    @Autowired private AjaxAuthenticationProvider ajaxAuthenticationProvider;
    @Autowired private JwtAuthenticationProvider jwtAuthenticationProvider;

    @Autowired private AuthenticationManager authenticationManager;
    @Autowired private ObjectMapper objectMapper;

    protected AjaxLoginProcessingFilter buildAjaxLoginProcessingFilter(String loginEntryPoint) throws Exception {
        AjaxLoginProcessingFilter filter = 
                new AjaxLoginProcessingFilter(loginEntryPoint, successHandler, failureHandler, objectMapper);
        filter.setAuthenticationManager(authenticationManager);
        return filter;
    }

    protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter(List<String> pathsToSkip, String pattern) {
        SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, pattern);
        JwtTokenAuthenticationProcessingFilter filter = 
                new JwtTokenAuthenticationProcessingFilter(failureHandler, matcher);
        filter.setAuthenticationManager(this.authenticationManager);
        return filter;
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }



    @Override
    protected void configure(HttpSecurity http) throws Exception {
        List<String> permitAllEndpointsList = Arrays.asList(
            AUTHENTICATION_URL,
            REFRESH_TOKEN_URL,
            "/console"
        );

        http.
            csrf().disable()
            .exceptionHandling()
            .authenticationEntryPoint(this.authenticationEntryPoint)

        .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

        .and()
            .authorizeRequests()
            .antMatchers(permitAllEndpointsList.toArray(new String[permitAllEndpointsList.size()]))
            .permitAll()
        .and()
            .authorizeRequests()
            .antMatchers(API_ROOT_URL).authenticated(); 
    }

    @Configuration
    @Order(1)
    public class AjaxWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http
                .csrf().disable()
                .addFilterBefore(buildAjaxLoginProcessingFilter(AUTHENTICATION_URL), UsernamePasswordAuthenticationFilter.class)
                .authenticationProvider(ajaxAuthenticationProvider);

        }

    }

    @Configuration
    @Order(2)
    public class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            List<String> permitAllEndpointsList = Arrays.asList(
                    AUTHENTICATION_URL,
                    REFRESH_TOKEN_URL,
                    "/console"
                );

            http
                .csrf().disable()
                .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(permitAllEndpointsList, API_ROOT_URL),
                    UsernamePasswordAuthenticationFilter.class)
                .authenticationProvider(jwtAuthenticationProvider);

        }

    }

}

【问题讨论】:

标签: spring spring-security jwt


【解决方案1】:

感谢您的帮助。我的代码完全错误。错误的注释和方法。

我解决了将正确的 authManager 传递给目标配置的问题(仅考虑):

 @Configuration
    @Order(1)
    public class AjaxWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            // TODO Auto-generated method stub
            auth.authenticationProvider(ajaxAuthenticationProvider);
        }

    }

@Configuration
public class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            // TODO Auto-generated method stub
            auth.authenticationProvider(jwtAuthenticationProvider);
       }
}

在 order(1) 的配置中,我必须强制定义 antMacher:

.and()
                    .antMatcher("/api/auth/**")
                    .authorizeRequests()
                    .antMatchers(AUTHENTICATION_URL)
                    .permitAll()

在最后一个配置中,我必须为“/**”定义 antMatchers

.authorizeRequests()
        .antMatchers("/**").authenticated()

最终结果:

@EnableWebSecurity
public class  WebSecurityConfig {

    public static final String AUTHENTICATION_HEADER_NAME = "Authorization";
    public static final String AUTHENTICATION_URL = "/api/auth/login";
    public static final String REFRESH_TOKEN_URL = "/api/auth/token";
    public static final String API_ROOT_URL = "/api/**";


    @Autowired private RestAuthenticationEntryPoint authenticationEntryPoint;
    @Autowired private AjaxAwareAuthenticationSuccessHandler successHandler;
    @Autowired private AjaxAwareAuthenticationFailureHandler failureHandler;
    @Autowired private AjaxAuthenticationProvider ajaxAuthenticationProvider;
    @Autowired private JwtAuthenticationProvider jwtAuthenticationProvider;

    @Autowired private ObjectMapper objectMapper;

    protected  AjaxLoginProcessingFilter buildAjaxLoginProcessingFilter(String loginEntryPoint,
            AuthenticationManager  authManager) throws Exception {
        AjaxLoginProcessingFilter filter = 
                new AjaxLoginProcessingFilter(loginEntryPoint, successHandler, failureHandler, objectMapper);
        filter.setAuthenticationManager(authManager);
        return filter;
    }

    protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter(String urlForFilter,
            AuthenticationManager authManager) {
        //SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, pattern);
        JwtTokenAuthenticationProcessingFilter filter = 
                new JwtTokenAuthenticationProcessingFilter(failureHandler, urlForFilter);
        filter.setAuthenticationManager(authManager);
        return filter;
    }

    @Configuration
    @Order(1)
    public class AjaxWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            // TODO Auto-generated method stub
            auth.authenticationProvider(ajaxAuthenticationProvider);
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {

                http.
                    csrf().disable()
                    .exceptionHandling()
                    .authenticationEntryPoint(authenticationEntryPoint)

                .and()
                    .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

                .and()
                    .antMatcher("/api/auth/**")
                    .authorizeRequests()
                    .antMatchers(AUTHENTICATION_URL)
                    .permitAll()


                .and()
                    .addFilterBefore(buildAjaxLoginProcessingFilter(AUTHENTICATION_URL, super.authenticationManager()), UsernamePasswordAuthenticationFilter.class)
                    .authenticationProvider(ajaxAuthenticationProvider);

        }

    }

    @Configuration
    public class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            // TODO Auto-generated method stub
            auth.authenticationProvider(jwtAuthenticationProvider);
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/**").authenticated()

                .and()
                .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(API_ROOT_URL, super.authenticationManager()),
                    UsernamePasswordAuthenticationFilter.class)
                .authenticationProvider(jwtAuthenticationProvider);

        }

    }

}

【讨论】:

    猜你喜欢
    • 2016-07-19
    • 2013-01-27
    • 2011-01-20
    • 2012-12-23
    • 2011-04-15
    • 2017-12-08
    • 2017-05-27
    • 1970-01-01
    • 2017-01-09
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode