Java 验证失败时,Spring筛选器链停止
好的,假设我有一个JwtAuthenticationFilter:Java 验证失败时,Spring筛选器链停止,java,spring,spring-boot,spring-security,jwt,Java,Spring,Spring Boot,Spring Security,Jwt,好的,假设我有一个JwtAuthenticationFilter: public class JwtAuthenticationFilter extends OncePerRequestFilter { @Autowired //blabla @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChai
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Autowired
//blabla
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
String jwt = extract(request);
if (StringUtils.hasText(jwt) && tokenVerifier.verify(jwt)) {
UserCredential user = getUserCredential(jwt, getTokenSigningKey());
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(user, null, buildAuthorities(user));
SecurityContextHolder.getContext().setAuthentication(auth);
}
filterChain.doFilter(request, response);
}
}
以及JwtAuthenticationEntryPoint:
@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
AuthenticationException e) throws IOException {
log.error("Responding with unauthorized error.");
httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
httpServletResponse.getWriter().write("Unauthorized");
}
}
然后Web安全配置:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
securedEnabled = true,
jsr250Enabled = true,
prePostEnabled = true
)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String[] AUTH_WHITELIST = {
"/v3/api-docs/**"
};
@Autowired
private UserDetailsServiceImpl userDetailsService;
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
@Bean
public JwtAuthenticationFilter jwtAuthenticationFilter() {
return new JwtAuthenticationFilter();
}
@Override
public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder());
}
@Bean(BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http
.cors().and().csrf().disable()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
// No need authentication.
.antMatchers(AUTH_WHITELIST).permitAll();
registry.anyRequest().authenticated();
// Add our custom JWT security filter
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
将被执行,我将看到401响应。很好。
但这里的要点是,在方法开始执行后,过滤链将终止。我的意思是任何留下的过滤器都不会被执行。我如何使链持续执行,即使方法开始执行?或任何其他JWT安全机制,即使身份验证失败也不停止筛选链?您总是将请求设置为未经授权,因此无需继续筛选链,因为您的筛选失败。我的猜测是,如果您不将状态设置为“未经授权”,您会提到哪种方法?
commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e)