[我一直关注tutorial to implementing JWT authentication in Spring Boot,但正在尝试使其适应于以下情况:我有两个WebSecurityConfigurerAdapter类,一个用于我的API(/api/**端点),一个用于我的Web前端(所有其他)端点)。在本教程中,JWTAuthenticationFilter被创建为UsernamePasswordAuthenticationFilter的子类并添加到链中。根据作者的说法,此过滤器将自动向“ /login”端点注册自己,但我希望它指向其他地方,例如“ /api/login”,因为我仅对API使用此身份验证方法。
这是API和前端的安全配置代码(有一些缩写):
@EnableWebSecurity
public class MultipleSecurityConfigurations {
@Configuration
@Order(1)
public static class APISecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**")
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()));
}
}
@Configuration
public static class FrontEndSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage("/login").permitAll()
.defaultSuccessUrl("/")
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/?logout")
.and()
.authorizeRequests()
.mvcMatchers("/").permitAll()
.mvcMatchers("/home").authenticated()
.anyRequest().denyAll()
;
}
}
}
问题是:我如何定义一个端点,例如“ /api/login”作为自定义JWTAuthenticationFilter的端点?
或者,我是否需要将过滤器更改为not作为UsernamePasswordAuthenticationFilter的子类,如果是,该如何配置?
编辑:我尝试过的事情:
我猜想/api/login端点必须为.permitAll(),并且我尝试使用formLogin().loginProcessingUrl(),尽管它实际上不是表单登录-它是JSON登录。这行不通。当我POST到/api/login时,我最终被重定向到HTML登录表单,就像我没有登录一样。而且,我的Spring启动应用程序抛出了一个奇怪的异常:
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
我正在尝试的配置:
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**")
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable()
.formLogin().loginProcessingUrl("/api/login").and()
.authorizeRequests()
.antMatchers("/api/login").permitAll()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()));
}
JWTAuthenticationFilter是UsernamePasswordAuthenticationFilter,因此您可以直接在过滤器实例上更改登录端点:JWTAuthenticationFilter customFilter = new JWTAuthenticationFilter(authenticationManager());
customFilter.setFilterProcessesUrl("/api/login");
http.addFilter(customFilter);
这将JWTAuthenticationFilter配置为尝试验证对/api/login的POST请求。