我在我的 java 專案中使用 spring security 來保護 Web 服務。我所有的網路服務在這里都是安全的,我使用的過濾器鏈配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and()
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilter(new JwtEmailAndPasswordAuthenticationFilter(authenticationManager(), jwtConfig, secretKey))
.addFilterAfter(new JwtTokenVerifier(secretKey, jwtConfig),JwtEmailAndPasswordAuthenticationFilter.class)
.authorizeRequests()
.anyRequest()
.authenticated();
}
現在我需要創建一個所有人都可以訪問的 Web 服務。為此,我添加了這一行:
.and().authorizeRequests().antMatchers("/auth/reset").permitAll()
對于鏈式檔案管理器,它看起來像這樣:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and()
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilter(new JwtEmailAndPasswordAuthenticationFilter(authenticationManager(), jwtConfig, secretKey))
.addFilterAfter(new JwtTokenVerifier(secretKey, jwtConfig),JwtEmailAndPasswordAuthenticationFilter.class)
.authorizeRequests()
.and().authorizeRequests().antMatchers("/auth/reset").permitAll()
.anyRequest()
.authenticated();
}
添加上面的行后,我得到例外 JWT not found,它來自這個由 addFilterAfter 觸發的 JwtTokenVerifier bean。
我的問題是,在請求不安全的 Web 服務的情況下,如何防止觸發 addFilterAfter 或僅安全路由所需的任何其他過濾器?
更新
這是 JwtTokenVerifier bean 的定義:
public class JwtTokenVerifier extends OncePerRequestFilter {
private final SecretKey secretKey;
private final JwtConfig jwtConfig;
public JwtTokenVerifier(SecretKey secretKey,
JwtConfig jwtConfig) {
this.secretKey = secretKey;
this.jwtConfig = jwtConfig;
}
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
try {
String authorizationHeader = request.getHeader(jwtConfig.getAuthorizationHeader());
if (Strings.isNullOrEmpty(authorizationHeader) || !authorizationHeader.startsWith(jwtConfig.getTokenPrefix())) {
filterChain.doFilter(request, response);
return;
}
String token = authorizationHeader.replace(jwtConfig.getTokenPrefix(), "");
try {
Jws<Claims> claimsJws = Jwts.parser()
.setSigningKey(secretKey)
.parseClaimsJws(token);
Claims body = claimsJws.getBody();
String email = body.getSubject();
var authorities = (List<Map<String, String>>) body.get("authorities");
Set<SimpleGrantedAuthority> simpleGrantedAuthorities = authorities.stream()
.map(m -> new SimpleGrantedAuthority(m.get("authority")))
.collect(Collectors.toSet());
Authentication authentication = new UsernamePasswordAuthenticationToken(
email,
null,
simpleGrantedAuthorities
);
SecurityContextHolder.getContext().setAuthentication(authentication);
} catch (JwtException e) {
throw new IllegalStateException(String.format("Token %s cannot be trusted", token));
}
filterChain.doFilter(request, response);
} catch (JwtException e) {
throw e;
}
}
}
uj5u.com熱心網友回復:
我知道您沒有問這個問題,但我首先建議您使用 Spring Security 的內置 JWT 支持而不是構建自己的支持。安全性很難,使用經過審查的支持可能更安全。
關于您關于為單獨的端點使用單獨的身份驗證機制的問題,您可以改為發布兩個過濾器鏈,一個用于開放端點,一個用于基于令牌的端點,如下所示:
@Bean
@Order(0)
SecurityFilterChain open(HttpSecurity http) {
http
.requestMatchers((requests) -> requests.antMatchers("/auth/reset"))
.authorizeHttpRequests((authorize) -> authorize.anyRequest().permitAll());
return http.build();
}
@Bean
SecurityFilterChain tokenBased(HttpSecurity http) {
http
.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
.addFilter(...)
.addFilterAfter(...);
return http.build();
}
uj5u.com熱心網友回復:
你有沒有嘗試過這樣的事情:
.and()
.authorizeRequests()
.antMatchers("...").permitAll()
.and()
.addFilter(...)
.authorizeRequests()
.anyRequest()
.authenticated()
.and()轉載請註明出處,本文鏈接:https://www.uj5u.com/ruanti/441330.html