Fatal编程技术网
  • spring-boot/
  • Spring boot 获取jwt授权中的authenticationProvider时出现问题

Spring boot 获取jwt授权中的authenticationProvider时出现问题

spring-boot spring-security

Spring boot 获取jwt授权中的authenticationProvider时出现问题,spring-boot,spring-security,Spring Boot,Spring Security,我在SecurityConfig类的configure方法中遇到错误,其代码如下: package com.sumit.Security; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; imp

我在SecurityConfig类的configure方法中遇到错误,其代码如下:

package com.sumit.Security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

import com.sumit.Repo.UserRepository;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    UserDetailsService userDetailsService;
    @Autowired
private UserRepository userRepository;



    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider());
        }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
           http
           // remove csrf and state in session because in jwt we do not need them
           .csrf().disable()
           .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
           .and()
           .addFilter(new JwtAuthenticationFilter(authenticationManager()))
           .addFilter(new JwtAuthorizationFilter(authenticationManager(),userRepository))
           .authorizeRequests()
           // configure access rules
           .antMatchers("/register").permitAll()
           .antMatchers("/admin").hasRole("ADMIN")
           .antMatchers("/user").hasAnyRole("ADMIN","USER")
           .antMatchers("/management").hasAnyRole("MANAGER","ADMIN")
           .antMatchers("/page1").hasAnyAuthority("ROLE_ADMIN","ACCESS_PAGE1")
           .antMatchers("/page2").hasAnyAuthority("ROLE_ADMIN","ACCESS_PAGE2")
           .anyRequest().authenticated();
//           .and()
//           .formLogin()
//           .loginPage("/login")
//           .usernameParameter("username")
//           .passwordParameter("password").successForwardUrl("/welcome")
//          .permitAll();


    }

    @Bean
    DaoAuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
        daoAuthenticationProvider.setUserDetailsService(this.userDetailsService);
        return daoAuthenticationProvider;
    }



    @Bean
    PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}
在上面的代码中,错误在这里
auth.authenticationProvider(authenticationProvider())
代码得到了很好的编译,但由于这一点,我得到了403禁止。这里的流量越来越小

JWTAuthenticationFilter类位于此处


package com.sumit.Security;

import static com.auth0.jwt.algorithms.Algorithm.HMAC512;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Date;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import com.auth0.jwt.JWT;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.sumit.Repo.UserRepository;


public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    private AuthenticationManager authenticationManager;

    public JwtAuthenticationFilter(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
            throws AuthenticationException {
        LoginModel credentials = null;
    try {
            credentials = new ObjectMapper().readValue(request.getInputStream(), LoginModel.class);
        } catch (Exception e) {
            e.printStackTrace();
        }

        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
                credentials.getUsername(), credentials.getPassword(), new ArrayList<>());

        Authentication auth = authenticationManager.authenticate(usernamePasswordAuthenticationToken);
        return auth;
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
            Authentication authResult) throws IOException, ServletException {
        UserPrincipal principal = (UserPrincipal) authResult.getPrincipal();
        String token = JWT.create()
                .withSubject(principal.getUsername())
                .withExpiresAt(new Date(System.currentTimeMillis() + JWTProperties.EXPIRATION_TIME))
                .sign(HMAC512(JWTProperties.SECRET.getBytes()));

        response.addHeader(JWTProperties.HEADER_STRING, JWTProperties.TOKEN_PREFIX + token);
    }




}



package com.sumit.Security;

import static com.auth0.jwt.algorithms.Algorithm.HMAC512;

import java.io.IOException;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

import com.auth0.jwt.JWT;
import com.sumit.Repo.UserRepository;

public class JwtAuthorizationFilter extends BasicAuthenticationFilter {
    @Autowired
private UserRepository userRepository;
    public JwtAuthorizationFilter(AuthenticationManager authenticationManager,UserRepository userRepository
            ) {
        super(authenticationManager);

    }

    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        // Read the Authorization header, where the JWT token should be
        String header = request.getHeader(JWTProperties.HEADER_STRING);

        // If header does not contain BEARER or is null delegate to Spring impl and exit
        if (header == null || !header.startsWith(JWTProperties.TOKEN_PREFIX)) {
            chain.doFilter(request, response);
            return;
        }

        // If header is present, try grab user principal from database and perform authorization
        Authentication authentication = getUsernamePasswordAuthentication(request);
        SecurityContextHolder.getContext().setAuthentication(authentication);

        // Continue filter execution
        chain.doFilter(request, response);
    }

    private Authentication getUsernamePasswordAuthentication(HttpServletRequest request) {
        String token = request.getHeader(JWTProperties.HEADER_STRING)
                .replace(JWTProperties.TOKEN_PREFIX,"");

        if (token != null) {
            // parse the token 
            String userName = JWT.require(HMAC512(JWTProperties.SECRET.getBytes()))
                    .build()
                    .verify(token)
                    .getSubject();

               if (userName != null) {
                User user = userRepository.findByUsername(userName);
                UserPrincipal principal = new UserPrincipal(user);
                UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userName, null, principal.getAuthorities());
                return auth;
            }
            return null;
        }
        return null;
    }

}


用户注册过程工作正常,但由于上述代码,身份验证无法工作。
我正在使用邮递员来验证它。

不知道我正面临着什么样的麻烦,而且完全受挫。
如果您使用spring security调试日志运行应用程序,它会告诉您失败的原因。unsuccessfulAuthentication方法将在成功身份验证的位置被调用。这是我在使用debugging时发现的问题,我认为您理解错了,
logging.level.org.springframework.security:DEBUG
在您的应用程序中。properties将向您显示spring security的调试日志,它将告诉您幕后发生了什么。是的,我理解,但我无法获得任何解决方案。问题是它正在调用
unsuccessfuldauthentication
方法代替
successfuldauthentication
,同时调试authanticate=true,但我也不明白它为什么调用
unsuccessfuldauthentication
method@Toerktumlare .... 你真的救了我的命。。。。我花了两个小时试图弄清楚我的身份验证失败的原因,然后我照你说的做了,令我恐惧的是,我发现身份验证失败是因为帐户被锁定了,在实现userDetails接口时忘记了返回true,因为默认值为false。万分感谢!