Java SpringSecurity5API密钥过滤器
我正在尝试使用SpringSecurity5和Boot2创建一个过滤器,它使用API密钥和会话保护一些但不是所有端点。 但是,在筛选器进行身份验证后,它会重新定向到“/”而不是原始url,因为SavedRequestStataWareAuthenticationSuccessHandler具有empy请求缓存,并返回默认“/” 我怎样才能使它继续运行到目标资源而不是“/”,以及为什么它会这样工作 如果有人能向我解释为什么AbstractPreAuthenticationdProcessingFilter设计为在成功完成完整身份验证后继续使用过滤器链,而AbstractAuthenticationProcessingFilter则不是,我也将不胜感激 这是安全配置类:Java SpringSecurity5API密钥过滤器,java,spring-boot,spring-security,Java,Spring Boot,Spring Security,我正在尝试使用SpringSecurity5和Boot2创建一个过滤器,它使用API密钥和会话保护一些但不是所有端点。 但是,在筛选器进行身份验证后,它会重新定向到“/”而不是原始url,因为SavedRequestStataWareAuthenticationSuccessHandler具有empy请求缓存,并返回默认“/” 我怎样才能使它继续运行到目标资源而不是“/”,以及为什么它会这样工作 如果有人能向我解释为什么AbstractPreAuthenticationdProcessingFi
@配置
@顺序(securityproperty.BASIC_AUTH_Order-10)
公共类SecurityConfig扩展了WebSecurity配置适配器{
@值(${secret.admin.api.key}”)
字符串validApiKey;
@凌驾
受保护的void configure(AuthenticationManagerBuilder生成器)引发异常{
builder.authenticationProvider(新的ApiKeyAuthenticationProvider(validApiKey));
}
@凌驾
受保护的无效配置(HttpSecurity)引发异常{
安全
.csrf().disable()
.会议管理()
.sessionCreationPolicy(无状态)
.及()
.addFilterBefore(新的ApiKeyAuthenticationFilter(authenticationManager()),AnonymousAuthenticationFilter.class)
.requestMatchers()
.antMatchers(“/v1/admin/**”)
.antMatchers(“/actuator/**”)
.及()
.authorizeRequests().anyRequest().authorized();
}
}
公共类ApiKeyAuthenticationFilter扩展了AbstractAuthenticationProcessingFilter{
//...
@凌驾
公共身份验证尝试身份验证(HttpServletRequest请求、HttpServletResponse响应)
抛出AuthenticationException、IOException、ServletException{
var apiKey=extractApiKey(request.getHeader(AUTHORIZATION));
var-token=新的ApiKeyAuthenticationToken(apiKey);
var authentication=getAuthenticationManager().authenticate(令牌);
返回认证;
}
//...
}
公共类ApiKeyAuthenticationProvider实现AuthenticationProvider{
// ...
@凌驾
公共身份验证(身份验证)引发AuthenticationException{
var apiKey=(字符串)authentication.getCredentials();
if(validApiKey.equals(apiKey)){
var auth=新的ApiKeyAuthenticationToken();
auth.setAuthenticated(true);
返回auth;
}否则{
抛出新的BadCredentialsException(“坏的ApiKey凭据”);
}
}
@凌驾
公共布尔支持(类身份验证){
返回ApiKeyAuthenticationToken.class.isAssignableFrom(身份验证);
}
}
OrRequestMatcher: Trying to match using Ant [pattern='/v1/admin/**']
AntPathRequestMatcher: Checking match of request : '/v1/admin/namespace'; against '/v1/admin/**'
OrRequestMatcher: matched
FilterChainProxy$VirtualFilterChain: /v1/admin/namespace at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
FilterChainProxy$VirtualFilterChain: /v1/admin/namespace at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
FilterChainProxy$VirtualFilterChain: /v1/admin/namespace at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
FilterChainProxy$VirtualFilterChain: /v1/admin/namespace at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
[...]
FilterChainProxy$VirtualFilterChain: /v1/admin/namespace at position 5 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
FilterChainProxy$VirtualFilterChain: /v1/admin/namespace at position 6 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
FilterChainProxy$VirtualFilterChain: /v1/admin/namespace at position 7 of 11 in additional filter chain; firing Filter: 'ApiKeyAuthenticationFilter'
ProviderManager: Authentication attempt using ....security.ApiKeyAuthenticationProvider
AbstractAuthenticationTargetUrlRequestHandler: Using default Url: /
DefaultRedirectStrategy: Redirecting to '/'
我试着使这项工作基于。我必须覆盖过滤器中的成功身份验证方法,并继续链以使其工作
@覆盖
受保护的void successfulAuthentication(HttpServletRequest请求、HttpServletResponse响应、,
FilterChain链,身份验证authResult)引发IOException,ServletException{
log.info(“成功认证”);
SecurityContextHolder.getContext().setAuthentication(authResult);
链式过滤器(请求、响应);
}