我正在使用mysql作為資料庫開發一個基本的spring boot api 我為注冊用戶(“/ users”)創建了一個端點,它是在登錄時對密碼進行加密我創建了一個身份驗證過濾器,它在回應的標頭中添加了jwt令牌,但是同時訪問端點(“/login”)我收到 403 錯誤,我已經為名為“/login”的請求配置了 ant 匹配
**網路安全配置**
package com.mukul.app.mobileappws.security;
import com.mukul.app.mobileappws.security.FIlter.AuthenticationFilter;
import com.mukul.app.mobileappws.services.UserService;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@Configuration
@EnableWebSecurity
public class ConfigurationSecurity extends WebSecurityConfigurerAdapter {
UserService userService;
BCryptPasswordEncoder bcrypt;
ConfigurationSecurity(UserService u, BCryptPasswordEncoder b) {
this.userService = u;
this.bcrypt = b;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// http.authorizeRequests().antMatchers(HttpMethod.POST,
// "/users").permitAll().anyRequest()
// .authenticated();
//
AuthenticationFilter af = new AuthenticationFilter(authenticationManager());
http.csrf().disable();
http.authorizeRequests().antMatchers(HttpMethod.POST,
"/users").permitAll();
http.authorizeRequests().antMatchers("/login").permitAll();
http.authorizeRequests().anyRequest()
.authenticated();
http.addFilter(af);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(bcrypt);
}
}
身份驗證過濾器
package com.mukul.app.mobileappws.security.FIlter;
import java.io.IOException;
import java.util.Date;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.mukul.app.mobileappws.security.SecurityConstants;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
public class AuthenticationFilter extends UsernamePasswordAuthenticationFilter {
private AuthenticationManager authManager;
public AuthenticationFilter(AuthenticationManager am) {
this.authManager = am;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException {
final String email = request.getParameter("email");
final String password = request.getParameter("password");
return authManager.authenticate(new UsernamePasswordAuthenticationToken(email, password));
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
Authentication auth) throws IOException, ServletException {
// generate token
User u = (User) auth.getPrincipal();
String email = u.getUsername();
String token = Jwts.builder()
.setSubject(email)
.setExpiration(new Date(System.currentTimeMillis() SecurityConstants.EXPIRE))
.signWith(SignatureAlgorithm.HS512, SecurityConstants.SECRET)
.compact();
response.addHeader(SecurityConstants.HEADER, SecurityConstants.PREFIX token);
super.successfulAuthentication(request, response, chain, auth);
}
}
如果您正在閱讀,這就是您需要觸發請求的方式request.getParameter(parameterName)。請注意,我收到 404 錯誤,因為 Spring 試圖將我重定向到不存在的成功登錄后的“/”。:)
uj5u.com熱心網友回復:
使用 Spring Security,我在登錄時總是遇到 CSRF 問題,因為該頁面沒有 CSRF 令牌并且沒有它就不允許 POST,請嘗試檢查它。
轉載請註明出處,本文鏈接:https://www.uj5u.com/houduan/443675.html
上一篇:Mapstruct如何初始化欄位
下一篇:如何在運行時呼叫API端點?