我一直在关注this教程以在Spring中获得JWT身份验证,但由于某种原因,过滤器对我不起作用。我已经从Github下载了这个教程项目并且它可以工作,但是我没有,我无法弄清楚为什么......
我将在下面发布一些代码(不介意Kotlin + Java混合,我试图在java中实现安全配置,想想也许这是一个问题)
Initializer.kt
class Initializer : WebApplicationInitializer {
@Throws(ServletException::class)
override fun onStartup(container: ServletContext) {
val context = AnnotationConfigWebApplicationContext()
context.scan("com.newyorkcrew.server.config")
context.scan("com.newyorkcrew.server.domain")
val dispatcher = container.addServlet("dispatcher", DispatcherServlet(context))
dispatcher.setLoadOnStartup(1)
dispatcher.addMapping("/api/*")
}
}
WebConfig.kt
@Bean
fun propertySourcesPlaceholderConfigurer(): PropertySourcesPlaceholderConfigurer {
return PropertySourcesPlaceholderConfigurer()
}
@Configuration
@Import(JPAConfig::class)
@EnableWebMvc
@ComponentScan("com.newyorkcrew.server")
@PropertySources(PropertySource(value = ["classpath:local/db.properties", "classpath:local/security.properties"]))
open class WebConfig {
@Bean
open fun corsConfigurer(): WebMvcConfigurer {
return object : WebMvcConfigurer {
override fun addCorsMappings(registry: CorsRegistry?) {
registry!!.addMapping("/**")
.allowedOrigins("http://localhost:4200", "http://localhost:8080", "http://localhost:8081")
.allowedMethods("GET", "PUT", "POST", "DELETE")
}
}
}
}
WebSecurity.java
@Configuration
@EnableWebSecurity
@ComponentScan("com.newyorkcrew.server.config")
public class WebSecurity extends WebSecurityConfigurerAdapter {
public static String SECRET;
@Value("{security.secret}")
private void setSECRET(String value) {
SECRET = value;
}
@Value("{security.expiration}")
public static long EXPIRATION_TIME;
@Value("{security.header}")
public static String HEADER;
@Value("{security.prefix}")
public static String PREFIX;
public static String SIGN_UP_URL;
@Value("${security.signupurl}")
private void setSignUpUrl(String value) {
SIGN_UP_URL = value;
}
@Autowired
private UserDetailsService userDetailsService;
public WebSecurity(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().authorizeRequests()
.antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()));
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/api/**", new CorsConfiguration().applyPermitDefaultValues());
return source;
}
我还实现了UserDetailService,JWTAuthenticationFilter和JWTAuthorizationFilter,但是只要它们没有被击中,我认为它们并不重要。
我已经使用了一段时间的配置并且它们工作了,但是当添加SecurityConfig时,它已初始化,但过滤器由于某种原因不起作用。
如果需要更多代码,我会发布。
编辑:根据要求,执行JWTAuthenticationFilter。
open class JWTAuthenticationFilter(private val authManager: AuthenticationManager) : UsernamePasswordAuthenticationFilter() {
override fun attemptAuthentication(request: HttpServletRequest?, response: HttpServletResponse?): Authentication {
try {
// Build the user DTO from the request
val userDTO = Gson().fromJson(convertInputStreamToString(request?.inputStream), UserDTO::class.java)
// Build the user from the DTO
val user = UserConverter().convertDtoToModel(userDTO)
// Try to authenticate
return authManager.authenticate(UsernamePasswordAuthenticationToken(user.email, user.password, ArrayList()))
} catch (e: Exception) {
throw RuntimeException(e)
}
}
override fun successfulAuthentication(request: HttpServletRequest?, response: HttpServletResponse?,
chain: FilterChain?, authResult: Authentication?) {
val token = Jwts.builder()
.setSubject(authResult?.principal.toString())
.setExpiration(Date(System.currentTimeMillis() + EXPIRATION_TIME))
.signWith(SignatureAlgorithm.HS512, SECRET.toByteArray())
.compact()
response?.addHeader(HEADER, "$PREFIX $token")
}
}
任何帮助表示赞赏。