如何为自定义 jwt header 授权添加过滤器
How to addFilter for custom jwt header authorization
出于某种原因,我无法添加将接管过滤器链授权阶段的过滤器。 defaultChain 在开始时读出:“不会保护任何请求”,但在我测试时似乎我的请求是安全的,但是它不会触发我的过滤器。如果我能在这件事上得到一些帮助,我将不胜感激!
网络配置
package com.legacybanking.legacyBankingAPI.security.securityConfig;
import com.legacybanking.legacyBankingAPI.security.jwt.JwtPasswordValidator;
import com.legacybanking.legacyBankingAPI.services.CustomerService;
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import java.util.List;
@Configuration
@AllArgsConstructor
@EnableWebSecurity
@Slf4j
public class AppSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private final BCryptPasswordEncoder bCryptPasswordEncoder;
private final CustomerService customerService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customerService).passwordEncoder(bCryptPasswordEncoder);
}
@Override
@Bean
protected UserDetailsService userDetailsService() {
return super.userDetailsService();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
log.info("ITS NOT WORKING");
http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.addFilter(new JwtPasswordValidator(authenticationManager()))
.authorizeRequests()
// ANT MACHERS = WHITELISTING
.antMatchers("/api/**")
.permitAll()
.anyRequest()
.authenticated();
}
}
JWT配置
package com.legacybanking.legacyBankingAPI.security.jwt;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.legacybanking.legacyBankingAPI.models.Customer;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Date;
import java.util.stream.Collectors;
@Slf4j
public class JwtPasswordValidator extends UsernamePasswordAuthenticationFilter {
@Autowired
private final AuthenticationManager authenticationManager;
public JwtPasswordValidator(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@Override
public Authentication attemptAuthentication( HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
System.out.println("request = " + request.getParameter("email"));
System.out.println("request = " + request.getParameter("password"));
String email = request.getParameter("email");
String password = request.getParameter("password");
log.info("Test Loging -> {}, {}",email,password);
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(email,password);
return authenticationManager.authenticate(authenticationToken);
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
System.out.println(authResult);
User user = (User) authResult.getPrincipal();
String key = "secretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecret";
Algorithm algorithm = Algorithm.HMAC256(key.getBytes());
String access_token = JWT.create()
.withSubject(user.getUsername())
.withIssuedAt(new Date())
.withExpiresAt(new Date(System.currentTimeMillis() + 60 * 60 * 1000))
.withIssuer(request.getRequestURI())
.withClaim("roles", user.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList()))
.sign(algorithm);
String refresh_token = JWT.create()
.withSubject(user.getUsername())
.withExpiresAt(new Date(System.currentTimeMillis() + 60 * 60 * 1000))
.withIssuer(request.getRequestURI())
.sign(algorithm);
System.out.println(access_token);
log.info("This is the access token: {}", access_token);
response.addHeader("Authorization", "Bearer " + access_token);
response.setHeader("access_token", "token" + access_token);
}
}
您必须在 AppSecurityConfig cofig() 方法中注册 JwtPasswordValidator class,如下所示:
http.addFilter(JwtPasswordValidator);
您可能还需要创建一个扩展 OncePerRequestFilter class 的 CustomAuthorizationFilter 并将其注册到配置方法中,如下所示:
http.addFilterBefore(new CustomAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class);
如果需要更多帮助,请随时提出。
出于某种原因,我无法添加将接管过滤器链授权阶段的过滤器。 defaultChain 在开始时读出:“不会保护任何请求”,但在我测试时似乎我的请求是安全的,但是它不会触发我的过滤器。如果我能在这件事上得到一些帮助,我将不胜感激!
网络配置
package com.legacybanking.legacyBankingAPI.security.securityConfig;
import com.legacybanking.legacyBankingAPI.security.jwt.JwtPasswordValidator;
import com.legacybanking.legacyBankingAPI.services.CustomerService;
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import java.util.List;
@Configuration
@AllArgsConstructor
@EnableWebSecurity
@Slf4j
public class AppSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private final BCryptPasswordEncoder bCryptPasswordEncoder;
private final CustomerService customerService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customerService).passwordEncoder(bCryptPasswordEncoder);
}
@Override
@Bean
protected UserDetailsService userDetailsService() {
return super.userDetailsService();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
log.info("ITS NOT WORKING");
http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.addFilter(new JwtPasswordValidator(authenticationManager()))
.authorizeRequests()
// ANT MACHERS = WHITELISTING
.antMatchers("/api/**")
.permitAll()
.anyRequest()
.authenticated();
}
}
JWT配置
package com.legacybanking.legacyBankingAPI.security.jwt;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.legacybanking.legacyBankingAPI.models.Customer;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Date;
import java.util.stream.Collectors;
@Slf4j
public class JwtPasswordValidator extends UsernamePasswordAuthenticationFilter {
@Autowired
private final AuthenticationManager authenticationManager;
public JwtPasswordValidator(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@Override
public Authentication attemptAuthentication( HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
System.out.println("request = " + request.getParameter("email"));
System.out.println("request = " + request.getParameter("password"));
String email = request.getParameter("email");
String password = request.getParameter("password");
log.info("Test Loging -> {}, {}",email,password);
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(email,password);
return authenticationManager.authenticate(authenticationToken);
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
System.out.println(authResult);
User user = (User) authResult.getPrincipal();
String key = "secretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecret";
Algorithm algorithm = Algorithm.HMAC256(key.getBytes());
String access_token = JWT.create()
.withSubject(user.getUsername())
.withIssuedAt(new Date())
.withExpiresAt(new Date(System.currentTimeMillis() + 60 * 60 * 1000))
.withIssuer(request.getRequestURI())
.withClaim("roles", user.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList()))
.sign(algorithm);
String refresh_token = JWT.create()
.withSubject(user.getUsername())
.withExpiresAt(new Date(System.currentTimeMillis() + 60 * 60 * 1000))
.withIssuer(request.getRequestURI())
.sign(algorithm);
System.out.println(access_token);
log.info("This is the access token: {}", access_token);
response.addHeader("Authorization", "Bearer " + access_token);
response.setHeader("access_token", "token" + access_token);
}
}
您必须在 AppSecurityConfig cofig() 方法中注册 JwtPasswordValidator class,如下所示:
http.addFilter(JwtPasswordValidator);
您可能还需要创建一个扩展 OncePerRequestFilter class 的 CustomAuthorizationFilter 并将其注册到配置方法中,如下所示:
http.addFilterBefore(new CustomAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class);
如果需要更多帮助,请随时提出。