【发布时间】:2020-03-30 09:36:03
【问题描述】:
所以我有一个相对简单的 JWT 身份验证,并设置了 Spring Boot 安全性。这包括 3 个过滤器(Jwt、Cors、JwtExceptionHandler)和一个注册到 HttpSecurity 的异常处理程序。
由于调试原因,我将JwtRequestFilter 的doFilterInternal 方法设为空。仅此一点就没有问题。但是,如果同一过滤器中的shouldNotFilter 方法返回true(这意味着将跳过doFilterInternal)我收到指定的异常:
org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource
at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:189)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:140)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at at.techsoft.cocos.security.ExceptionHandlerFilter.doFilterInternal(ExceptionHandlerFilter.java:20)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
这是我的WebSecurityConfig 课程:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final Logger log = LoggerFactory.getLogger(WebSecurityConfig.class);
@Autowired
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
@Autowired
private UserDetailsService jwtUserDetailsService;
@Autowired
private ExceptionHandlerFilter exceptionHandlerFilter;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(jwtUserDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.cors().and().csrf().disable();
httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
httpSecurity.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationEntryPoint);
httpSecurity.headers().frameOptions().disable();
httpSecurity.authorizeRequests()
.antMatchers(Path.ROOT + "/authentication/**", "/*","/share/**", "/css/**", "/img/**", "/js/**", "/console/**").permitAll()
// Disallow everything else..
.antMatchers(HttpMethod.OPTIONS).permitAll()
.anyRequest().authenticated();
httpSecurity.addFilterBefore(new CorsFilterConfig(), ChannelProcessingFilter.class);
httpSecurity.addFilterBefore(new JwtRequestFilter(new StandardJwtValidator(tokenUtil, userRepository, jwtUserDetailsService)), UsernamePasswordAuthenticationFilter.class);
httpSecurity
.addFilterBefore(exceptionHandlerFilter, JwtRequestFilter.class);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers(Path.ROOT + "/authentication/", "/*", "/css/**", "/img/**", "/js/**", "/console/**")
.antMatchers(HttpMethod.OPTIONS, "/**");
}
这是有问题的 JwtRequestFilter:
public class JwtRequestFilter extends OncePerRequestFilter {
private Logger log = LoggerFactory.getLogger(JwtRequestFilter.class);
final
IJwtValidator validator;
public JwtRequestFilter(IJwtValidator validator) {
this.validator = validator;
}
@Override
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
//SecurityContextHolder.getContext().setAuthentication(validator.getAuthenticatioNToken(request));
}
@Override
protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
return true;
}
}
当谷歌搜索异常时,几乎所有的答案都包括 oauth2 身份验证,但我不使用 oauth2。
我应该补充一点,这种特殊情况永远不会发生,但我觉得有一些潜在的问题正在系统的其他部分产生错误。
编辑: 根据要求,我将添加 application.properties:
jwt.secret=javainuse
logging.level.at=DEBUG
logging.level.org.springframework.web=DEBUG
spring.jpa.hibernate.ddl-auto= create-drop
spring.jpa.open-in-view=true #i know this shouldn't be used
#database location
#left out for post
# H2
spring.h2.console.enabled=true
spring.h2.console.path=/h2/
spring.datasource.url=#left out again
请求头:
> GET /api/v1/groups/ HTTP/1.1
> Host: localhost:8080
> User-Agent: insomnia/7.0.5
> Cookie: JSESSIONID=199D19CCD05968D3E8CF0C97A1DE2CD5
> Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJ0c2FkbWluIiwiZXhwIjoxNTc1NTY0MjcxLCJpYXQiOjE1NzU1NDYyNzF9.dCXO2LFaZy8LTFRCA14gHAhA1kUUSy6pCZ7Joad2z1y1G50PSVC2mPz56odA5LmIHOxhjnZrrxAbGyuX2NWgWQ
> Accept: */*
【问题讨论】:
标签: java spring security oauth-2.0 jwt