Java REST应用程序中每个请求的Spring安全授权(无登录表单)
在我的Spring项目中,我有这样的POST请求:Java REST应用程序中每个请求的Spring安全授权(无登录表单),java,spring,spring-security,Java,Spring,Spring Security,在我的Spring项目中,我有这样的POST请求: {"clientKey":"XXX", "accessKey":"ZZZ", ... } 我的后端工作在非常简单的范例中:从POST body获取clientKey(登录)和accessKey(密码)参数,检查它们在数据库中的持久性,然后执行一些业务逻辑 我需要为每个传入请求(没有会话和令牌)使用Spring安全性实现最小的安全检查逻辑 SecurityConfig.java @Configuration @EnableWebSecurity
{"clientKey":"XXX", "accessKey":"ZZZ", ... }
我的后端工作在非常简单的范例中:从POST body获取clientKey
(登录)和accessKey
(密码)参数,检查它们在数据库中的持久性,然后执行一些业务逻辑
我需要为每个传入请求(没有会话和令牌)使用Spring安全性实现最小的安全检查逻辑
SecurityConfig.java
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER")
.and().csrf().disable();
http.addFilterBefore(new ApiAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
public class ApiAuthorizationFilter extends UsernamePasswordAuthenticationFilter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
//
// always prints "{}", why?
//
Logger.getLogger("test").log(Level.INFO, request.getParameterMap().toString());
//
// Ok, I will make some manual auth operations for testing purposes.
// Seems what it isn't work too..
//
Set<SimpleGrantedAuthority> authorities = new HashSet<>(1);
authorities.add(new SimpleGrantedAuthority("USER"));
Authentication auth = new UsernamePasswordAuthenticationToken(
"94fc97a7b3fd2175472ec4a41bcb3b14",
"746b2aa32fe90f0ba53e6efe7a8d1f1f",
authorities);
SecurityContextHolder.getContext().setAuthentication(auth);
chain.doFilter(request, response);
}
}
apiaAuthorizationFilter.java
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER")
.and().csrf().disable();
http.addFilterBefore(new ApiAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
public class ApiAuthorizationFilter extends UsernamePasswordAuthenticationFilter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
//
// always prints "{}", why?
//
Logger.getLogger("test").log(Level.INFO, request.getParameterMap().toString());
//
// Ok, I will make some manual auth operations for testing purposes.
// Seems what it isn't work too..
//
Set<SimpleGrantedAuthority> authorities = new HashSet<>(1);
authorities.add(new SimpleGrantedAuthority("USER"));
Authentication auth = new UsernamePasswordAuthenticationToken(
"94fc97a7b3fd2175472ec4a41bcb3b14",
"746b2aa32fe90f0ba53e6efe7a8d1f1f",
authorities);
SecurityContextHolder.getContext().setAuthentication(auth);
chain.doFilter(request, response);
}
}
公共类ApiAuthorizationFilter扩展了UsernamePasswordAuthenticationFilter{
@凌驾
public void doFilter(ServletRequest请求、ServletResponse响应、FilterChain链)
抛出IOException、ServletException{
//
//总是打印“{}”,为什么?
//
Logger.getLogger(“test”).log(Level.INFO,request.getParameterMap().toString());
//
//好的,为了测试的目的,我将进行一些手动身份验证操作。
//看来这也不管用。。
//
设置权限=新哈希集(1);
添加(新的SimpleGrantedAuthority(“用户”);
Authentication auth=新用户名PasswordAuthenticationToken(
“94fc97a7b3fd2175472ec4a41bcb3b14”,
“746b2aa32fe90f0ba53e6efe7a8d1f1f”,
当局);
SecurityContextHolder.getContext().setAuthentication(auth);
链式过滤器(请求、响应);
}
}
我做错了什么?UsernamePasswordAuthenticationFilter在提交时是否仅适用于登录表单,或者我需要安全链中的另一个筛选器