Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/ionic-framework/2.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Spring security spring过滤器适用于所有api URL错误_Spring Security_Spring Java Config - Fatal编程技术网
Fatal编程技术网
  • spring-security/
  • Spring security spring过滤器适用于所有api URL错误

Spring security spring过滤器适用于所有api URL错误

spring-security

Spring security spring过滤器适用于所有api URL错误,spring-security,spring-java-config,Spring Security,Spring Java Config,我不熟悉spring安全性,问题是过滤器应用于所有请求URL/api/user/signup。我想排除通过筛选器的路径/api/user/signup。我甚至试着跟随 web.ignoring() .antMatchers("/api/user/**") .antMatchers("/api/user/signup") 但过滤器再次应用于它。筛选器需要authkey令牌和注册请求 显然没有代币。当它找不到令牌时,它将通过异常 @Configura

我不熟悉spring安全性,问题是过滤器应用于所有请求URL<代码>/api/user/signup。我想排除通过筛选器的路径
/api/user/signup
。我甚至试着跟随

web.ignoring()
            .antMatchers("/api/user/**")
            .antMatchers("/api/user/signup")
但过滤器再次应用于它。筛选器需要authkey令牌和注册请求 显然没有代币。当它找不到令牌时,它将通过异常

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
AuthenticationTokenProcessingFilter authenticationTokenFilter;
@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring()
    .antMatchers("/api/user/**")
    .antMatchers("/api/user/signup")

    ;
}
@Override
protected void configure(HttpSecurity http) throws Exception {


    http
    .csrf().disable()
    .authorizeRequests()   

    //allow anonymous POSTs to login
    .antMatchers("/api/user/signup").permitAll()

    //allow anonymous GETs to API
    .antMatchers(HttpMethod.GET, "/api/**").permitAll()
    .and()
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)     
    .and()
     .addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class)    
      ;
}
这是我的令牌过滤器类

@Component
public class AuthenticationTokenProcessingFilter extends GenericFilterBean {

  //  @Autowired UserService userService;
   @Autowired 
   TokenHandler tokenUtils;
   @Autowired
    AuthenticationManager authManager;

    public AuthenticationTokenProcessingFilter(AuthenticationManager authManager) {
        this.authManager = authManager;
    }

    public AuthenticationTokenProcessingFilter() {
        super();
        // TODO Auto-generated constructor stub
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        @SuppressWarnings("unchecked")

        HttpServletRequest req = (HttpServletRequest) request;

        SecurityContext context = SecurityContextHolder.getContext();

        if (context.getAuthentication() != null && context.getAuthentication().isAuthenticated()) {
            // do nothing
        }else {

            //System.out.println("Not Authenticated");
        if(req != null && req.getHeader("authKey") != null && req.getHeader("authKey").length() >0 ) {
            String token = req.getHeader("authKey"); 
           System.out.println("Found Token:"+req.getHeader("authKey"));
            // validate the token
            User userDetails = tokenUtils.parseUserFromToken(token);

                     List<GrantedAuthority> grantedAuths = new ArrayList<>();
                     grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
                     Authentication  authentication = 
                        new UsernamePasswordAuthenticationToken(userDetails.getEmail(), userDetails.getPassword(),grantedAuths);

                // set the authentication into the SecurityContext

                SecurityContextHolder.getContext().setAuthentication(authentication);         


           System.out.println("Is Authenticated:?"+  context.getAuthentication().isAuthenticated());
        // continue thru the filter chain
           chain.doFilter(request, response);
           System.out.println(" request is delegeted");
        }else{ 

                // Do your business stuff here for all paths other than /specialpath.
                System.out.println(" Token Not Found");
                throw new ServletException("Token not found in Request");           

        }

    }
}
解决方案之一是根据传入的URL跳过过滤器逻辑。 排队后:

HttpServletRequest req = (HttpServletRequest) request;

AuthenticationTokenProcessingFilter
的方法
doFilter
中添加以下代码:

if (new AntPathRequestMatcher("/api/user/signup").matches(req))) {
    chain.doFilter(request, response);
    return;
}
当然,在
doFilter
方法中硬编码URL不是一个好的做法-您可以从
SecurityConfig.configure
方法将该URL传递给您的过滤器。另外,可以优化新的AntPathRequestMatcher,只需创建一次并放入一个字段变量。

解决方案是模仿具有多个
块的好的旧名称空间方式。通过Java配置,您还可以有多个类扩展
websecurityConfigureAdapter
。Spring安全参考手册对此有详细的说明。摘录:

@EnableWebSecurity
public class MultiHttpSecurityConfig {
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) { 1
        ...
    }

    @Configuration
    @Order(1)                                                        2
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/api/**")                               3
                ...
        }
    }

    @Configuration                                                   4
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .formLogin()
                ...
        }
    }
}
注:

  • 正常配置
    身份验证
  • 创建包含
    @Order
    websecurityConfigureAdapter
    实例,以指定应首先考虑哪个
    websecurityConfigureAdapter
  • http.antMatcher
    声明此
    HttpSecurity
    仅适用于以
    /api/
    开头的URL
  • 创建
    websecurityConfigureAdapter
    的另一个实例。如果URL不是以
    /api/
    开头,则将使用此配置(无
    @Order
    默认为最后一个)
    • 通过使用'@Component'注释过滤器,您告诉Spring将其添加到嵌入式容器中

    任何作为Springbean的Servlet、Filter或Servlet*侦听器实例都将在嵌入式容器中注册。如果要在配置过程中引用application.properties中的值,这将非常方便

    因此,
    .addFilterBefore(authenticationTokenFilter,UsernamePasswordAuthenticationFilter.class)
    此行没有影响

    要修复它,请删除@Component和@Autowired并构造自己的实例,不要将其变成bean

    @EnableWebSecurity
public class MultiHttpSecurityConfig {
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) { 1
        ...
    }

    @Configuration
    @Order(1)                                                        2
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/api/**")                               3
                ...
        }
    }

    @Configuration                                                   4
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .formLogin()
                ...
        }
    }
}