Java Spring引导配置中的JWT令牌问题
我遇到的问题是,当我调用post请求时:Java Spring引导配置中的JWT令牌问题,java,authentication,spring-security,jwt,Java,Authentication,Spring Security,Jwt,我遇到的问题是,当我调用post请求时:localhost:8080/authenticate 我的应用程序的安全性表明它需要和令牌。当调用请求时,过滤器会对其进行检查,因此这不是目的。现在,安全性要求一个承载令牌,而这是第一个请求,当然它还没有出现。我得到的错误是JWT令牌不是以承载字符串开头的 我的配置方法: @Override protected void configure(WebSecurity web) throws Exception { web.ignor
localhost:8080/authenticate
我的应用程序的安全性表明它需要和令牌。当调用请求时,过滤器会对其进行检查,因此这不是目的。现在,安全性要求一个承载令牌,而这是第一个请求,当然它还没有出现。我得到的错误是JWT令牌不是以承载字符串开头的
我的配置方法:
@Override
protected void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/authenticate");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors().disable()
.authorizeRequests()
.antMatchers("/authenticate").permitAll()
.antMatchers("/**/private/**").authenticated()
.anyRequest().permitAll()
.and()
.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class)
.exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint);
}
我的筛选方法:
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
final String requestTokenHeader = request.getHeader("Authorization");
System.out.println("JWT Request: " + request.getRequestURI());
System.out.println("JWT Contain: " + request.getRequestURI().contains("authenticate"));
String username = null;
String jwtToken = null;
//Remove comment for second approach
if (request.getRequestURI().contains("authenticate") == false) {
System.out.println("Do Noting, Permit It");
chain.doFilter(request, response);
} else if (requestTokenHeader != null && requestTokenHeader.startsWith("Bearer ")) {
jwtToken = requestTokenHeader.substring(7);
try {
username = jwtTokenUtil.getUsernameFromToken(jwtToken);
} catch (IllegalArgumentException e) {
System.out.println("Unable to get JWT Token");
} catch (ExpiredJwtException e) {
System.out.println("JWT Token has expired");
}
} else {
logger.warn("JWT Token does not begin with Bearer String");
}
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.jwtUserDetailsService.loadUserByUsername(username);
if (jwtTokenUtil.validateToken(jwtToken, userDetails)) {
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
userDetails, null, userDetails.getAuthorities());
usernamePasswordAuthenticationToken
.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
}
}
chain.doFilter(request, response);
}
我的控制器类:
@RestController
@CrossOrigin
public class JwtAuthenticationController {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private JwtTokenUtil jwtTokenUtil;
@Autowired
private JwtUserDetailsService userDetailsService;
@RequestMapping(value = "/authenticate", method = RequestMethod.POST)
public ResponseEntity<?> createAuthenticationToken(@RequestBody JwtRequest authenticationRequest) throws Exception {
authenticate(authenticationRequest.getUsername(), authenticationRequest.getPassword());
final UserDetails userDetails = userDetailsService
.loadUserByUsername(authenticationRequest.getUsername());
final String token = jwtTokenUtil.generateToken(userDetails);
return ResponseEntity.ok(new JwtResponse(token));
}
@RequestMapping(value = "/register", method = RequestMethod.POST)
public ResponseEntity<?> saveUser(@RequestBody UserDTO user) throws Exception {
return ResponseEntity.ok(userDetailsService.save(user));
}
private void authenticate(String username, String password) throws Exception {
try {
authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
} catch (DisabledException e) {
throw new Exception("USER_DISABLED", e);
} catch (BadCredentialsException e) {
throw new Exception("INVALID_CREDENTIALS", e);
}
}
}
@RestController
@交叉起源
公共类JwtAuthenticationController{
@自动连线
私人AuthenticationManager AuthenticationManager;
@自动连线
私有JwtTokenUtil JwtTokenUtil;
@自动连线
私有JWTUserDetails服务UserDetails服务;
@RequestMapping(value=“/authenticate”,method=RequestMethod.POST)
public ResponseEntity createAuthenticationToken(@RequestBody JwtRequest authenticationRequest)引发异常{
验证(authenticationRequest.getUsername(),authenticationRequest.getPassword());
最终用户详细信息用户详细信息=用户详细信息服务
.loadUserByUsername(authenticationRequest.getUsername());
最终字符串标记=jwtTokenUtil.generateToken(userDetails);
返回ResponseEntity.ok(新JwtResponse(令牌));
}
@RequestMapping(value=“/register”,method=RequestMethod.POST)
公共响应属性saveUser(@RequestBody UserDTO user)引发异常{
返回ResponseEntity.ok(userDetailsService.save(user));
}
私有void身份验证(字符串用户名、字符串密码)引发异常{
试一试{
authenticationManager.authenticate(新用户名PasswordAuthenticationToken(用户名、密码));
}捕获(禁用异常e){
抛出新异常(“用户禁用”,e);
}捕获(BadCredentialsException e){
抛出新异常(“无效的_凭证”,e);
}
}
}
我希望程序能够工作,这样当我发送localhost:8080/authenticate
请求时,就不会有过滤器,但是当我调用其他每个请求时,就会有过滤器来检查令牌是否存在
提前感谢。覆盖方法
配置(WebSecurity web)
忽略/authenticate
端点,使其不会包含在Spring安全筛选器链中,如下所示
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/authenticate");
}
试试这个
http.csrf().disable().cors().disable().authorizeRequests().antMatchers(“/authenticate”).permitAll().anyRequest().authenticated()和().sessionManagement().sessionCreationPolicy(sessionCreationPolicy.STATELESS);http.addFilterBefore(jwtRequestFilter,UsernamePasswordAuthenticationFilter.class)
我编辑了我的问题,我添加了覆盖方法,但它说它需要是公共的?@tomvandenbogart将其公开。