antMatchers() 不工作,并给出禁止错误
antMatchers() is not working , and gives forbidden error
我有一个端点叫做 authenticate ,这个端点被提供给 antMatchers("/authenticate") 来跳过这个端点的授权,但它仍然检查身份验证。
代码:
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
// We don't need CSRF for this example
httpSecurity.csrf().disable()
// dont authenticate this particular request
.authorizeRequests().antMatchers("/authenticate").permitAll()
// all other requests need to be authenticated
.and().authorizeRequests()
.anyRequest().authenticated()
.and()
// make sure we use stateless session; session won't be used to
// store user's state.
.exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint)
.and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// Add a filter to validate the tokens with every request
httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
尝试添加此方法以确保忽略此端点。
@Override
public void configure(final WebSecurity web) throws Exception {
web.ignoring().antMatchers("/authenticate");
}
如果无法评估,请通过您的身份验证过滤器。
@Override
protected void doFilterInternal(final HttpServletRequest req,
final HttpServletResponse res,
final FilterChain chain) throws IOException, ServletException {
final String header = req.getHeader("Authorization");
if (header == null || !header.startsWith("Bearer ")) {
// if cannot be evaluated
chain.doFilter(req, res);
return;
}
// do authentication
// SecurityContextHolder.getContext().setAuthentication() if authenticated normally
// throw AuthenticationException if received illegal credentials
chain.doFilter(req, res);
}
另见 AbstractAuthenticationProcessingFilter#attemptAuthentication() javadoc:
The implementation should do one of the following:
- Return a populated authentication token for the authenticated user, indicating successful authentication
- Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
- Throw an AuthenticationException if the authentication process fails
我有关于这个问题的更新。
在我的例子中,我遇到了一个函数 singWith() 的问题,该函数已被弃用,/authenticate 的请求正在传递 antMatchers() 过滤但无法生成令牌。
经过研究,我发现还有其他类型的相同功能,效果很好。
旧版本的令牌生成代码。
SecretKey key = Keys.hmacShaKeyFor(Decoders.BASE64.decode("newworldorder"));
密钥为SecretKey类型
Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(date)
.setExpiration(new Date(validity)
.signWith(key).compact();
这是新版本的令牌生成代码。
private String key = "newworldorder";
Key为String类型
Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(date)
.setExpiration(validity)
.signWith(SignatureAlgorithm.HS512, key).compact();
我有一个端点叫做 authenticate ,这个端点被提供给 antMatchers("/authenticate") 来跳过这个端点的授权,但它仍然检查身份验证。
代码:
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
// We don't need CSRF for this example
httpSecurity.csrf().disable()
// dont authenticate this particular request
.authorizeRequests().antMatchers("/authenticate").permitAll()
// all other requests need to be authenticated
.and().authorizeRequests()
.anyRequest().authenticated()
.and()
// make sure we use stateless session; session won't be used to
// store user's state.
.exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint)
.and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// Add a filter to validate the tokens with every request
httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
尝试添加此方法以确保忽略此端点。
@Override
public void configure(final WebSecurity web) throws Exception {
web.ignoring().antMatchers("/authenticate");
}
如果无法评估,请通过您的身份验证过滤器。
@Override
protected void doFilterInternal(final HttpServletRequest req,
final HttpServletResponse res,
final FilterChain chain) throws IOException, ServletException {
final String header = req.getHeader("Authorization");
if (header == null || !header.startsWith("Bearer ")) {
// if cannot be evaluated
chain.doFilter(req, res);
return;
}
// do authentication
// SecurityContextHolder.getContext().setAuthentication() if authenticated normally
// throw AuthenticationException if received illegal credentials
chain.doFilter(req, res);
}
另见 AbstractAuthenticationProcessingFilter#attemptAuthentication() javadoc:
The implementation should do one of the following:
- Return a populated authentication token for the authenticated user, indicating successful authentication
- Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
- Throw an AuthenticationException if the authentication process fails
我有关于这个问题的更新。
在我的例子中,我遇到了一个函数 singWith() 的问题,该函数已被弃用,/authenticate 的请求正在传递 antMatchers() 过滤但无法生成令牌。
经过研究,我发现还有其他类型的相同功能,效果很好。
旧版本的令牌生成代码。
SecretKey key = Keys.hmacShaKeyFor(Decoders.BASE64.decode("newworldorder"));
密钥为SecretKey类型
Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(date)
.setExpiration(new Date(validity)
.signWith(key).compact();
这是新版本的令牌生成代码。
private String key = "newworldorder";
Key为String类型
Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(date)
.setExpiration(validity)
.signWith(SignatureAlgorithm.HS512, key).compact();