Spring 解码jwt时出错时未发布AuthenticationEvent
由于我的验证器失败,在尝试解码Jwt时发生错误,我无法捕获身份验证失败事件。我使用的是SpringSecurity 5.2.1。请注意,当我根本不在“authorization”头中传递令牌时,我会捕获授权失败事件。我想必须对spring配置进行一些额外的配置 引发的异常:Spring 解码jwt时出错时未发布AuthenticationEvent,spring,spring-security,oauth-2.0,jwt,audit,Spring,Spring Security,Oauth 2.0,Jwt,Audit,由于我的验证器失败,在尝试解码Jwt时发生错误,我无法捕获身份验证失败事件。我使用的是SpringSecurity 5.2.1。请注意,当我根本不在“authorization”头中传递令牌时,我会捕获授权失败事件。我想必须对spring配置进行一些额外的配置 引发的异常: org.springframework.security.oauth2.core.OAuth2AuthenticationException: An error occurred while attempting to d
org.springframework.security.oauth2.core.OAuth2AuthenticationException: An
error occurred while attempting to decode the Jwt: This aud claim does not
contain configured audience
审计的实施如下所述:
当前spring安全配置:
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private static final OAuth2Error INVALID_AUDIENCE =
new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST,
"This aud claim does not contain configured audience",
"https://tools.ietf.org/html/rfc6750#section-3.1");
@Value("${spring.security.oauth2.claim-to-validate.audience}")
private String audience;
@Value("${spring.security.oauth2.claim-to-validate.scope}")
private String scope;
@Value("${spring.security.oauth2.resourceserver.jwt.public-key-location:#{null}}")
private RSAPublicKey publicKeyLocation;
@Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri:#{null}}")
private String jwkSetUri;
@Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri:#{null}}")
private String issuerUri;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers( "/v1/resource/**")
.hasAuthority("SCOPE_" + scope)
.and()
.oauth2ResourceServer()
.jwt();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication();
}
@Bean
public JwtDecoder jwtDecoder() {
final OAuth2TokenValidator<Jwt> withAudience = audienceValidator(audience);
final JwtDecoder jwtDecoder;
if (publicKeyLocation != null) {
jwtDecoder = NimbusJwtDecoder.withPublicKey(publicKeyLocation).build();
} else if (StringUtils.hasLength(jwkSetUri)) {
jwtDecoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
} else if (StringUtils.hasLength(issuerUri)) {
jwtDecoder = JwtDecoders.fromOidcIssuerLocation(issuerUri);
} else {
throw new IllegalStateException(
"Invalid OAuth2 configuration: provide value for any of " +
"'publicKeyLocation', 'jwkSetUri' or 'issuerUri'");
}
((NimbusJwtDecoder) jwtDecoder).setJwtValidator(withAudience);
return jwtDecoder;
}
OAuth2TokenValidator<Jwt> audienceValidator(String audience) {
return jwt -> {
Assert.notNull(jwt, "token cannot be null");
final List<String> audiences = jwt.getAudience();
return audiences.contains(audience) ?
OAuth2TokenValidatorResult.success() :
OAuth2TokenValidatorResult.failure(INVALID_AUDIENCE);
};
}
}
@EnableWebSecurity
公共类安全配置扩展了WebSecurity配置适配器{
私有静态最终OAuth2错误无效\u访问者=
新的OAuth2Error(OAuth2ErrorCodes.INVALID_请求,
“此aud声明不包含已配置的访问群体”,
"https://tools.ietf.org/html/rfc6750#section-3.1");
@值(${spring.security.oauth2.claim to validate.acquisition}”)
私人弦乐观众;
@值(${spring.security.oauth2.claim to validate.scope}”)
私有字符串范围;
@值(${spring.security.oauth2.resourceserver.jwt.public key location:#{null}}”)
私钥公钥位置;
@值(${spring.security.oauth2.resourceserver.jwt.jwk集uri:#{null}}”)
私有字符串jwkSetUri;
@值(${spring.security.oauth2.resourceserver.jwt.issuer uri:#{null}}”)
私有字符串issuerUri;
@凌驾
受保护的无效配置(HttpSecurity http)引发异常{
http
.授权请求()
.antMatchers(“/v1/resource/**”)
.hasAuthority(“范围”+范围)
.及()
.oauth2ResourceServer()
.jwt();
}
@凌驾
受保护的无效配置(AuthenticationManagerBuilder auth)引发异常{
auth.inMemoryAuthentication();
}
@豆子
公共JwtDecoder JwtDecoder(){
最终OAuth2TokenValidator with audience=audienceValidator(观众);
最终JwtDecoder JwtDecoder;
如果(publicKeyLocation!=null){
jwtDecoder=NimbusJwtDecoder.withPublicKey(publicKeyLocation).build();
}else if(StringUtils.hasLength(jwkSetUri)){
jwtDecoder=NimbusJwtDecoder.withJwkSetUri(jwkSetUri.build();
}else if(StringUtils.hasLength(issuerUri)){
jwtDecoder=JwtDecoders.fromOidcIssuerLocation(issuerUri);
}否则{
抛出新的非法状态异常(
“无效的OAuth2配置:为以下任一项提供值”+
“'publicKeyLocation'、'jwkSetUri'或'issuerUri'”;
}
((NimbusJwtDecoder)jwtDecoder).设置JWTValidator(带观众);
返回jwt解码器;
}
OAuth2TokenValidator audienceValidator(字符串听众){
返回jwt->{
Assert.notNull(jwt,“令牌不能为null”);
最终列表访问群体=jwt.getAudience();
返回观众。是否包含(观众)?
OAuth2TokenValidatorResult.success():
OAuth2TokenValidatorResult.失败(无效受众);
};
}
}
将Spring Security更新为5.3.0或更高版本,并在Spring Security配置中声明自定义AuthenticationEventPublisher bean,如下所示:
@Autowired
private ApplicationEventPublisher publisher;
@Bean
public AuthenticationEventPublisher authenticationEventPublisher() {
final Properties properties = new Properties();
properties.put(
OAuth2AuthenticationException.class.getCanonicalName(),
AuthenticationFailureBadCredentialsEvent.class.getCanonicalName());
final DefaultAuthenticationEventPublisher eventPublisher = new DefaultAuthenticationEventPublisher(publisher);
eventPublisher.setAdditionalExceptionMappings(properties);
return eventPublisher;
}
请注意,在5.3.0中,您可以直接添加映射,而无需属性结构
如果您需要继续使用5.2.x,请使用此处指出的解决方法:我发现这与此相关。我已经创建了一个发布服务器,但不知道是否需要注册它。还有一个古老但相关的主题:我已经为AuthenticationEventPublisher添加了自定义映射(通过setAdditionalExceptionMappings(Properties props))。但在测试过程中,它不知怎么被重置了。在5.3.0中添加了更合理的方法:我想我发现bro不幸了:。我每走一步都指向那里。