英文:
How to configure webSecurity for username and password with jwt?
问题
我想配置服务器,使用JWT进行用户名和密码的身份验证。我想只允许公开访问注册端点,其他端点需要登录。但显然,注册端点仍然进入JWT身份验证过滤器,并返回状态码200,但实际上没有执行任何操作。
对于其他端点,它返回状态码403,但我希望是401。
以下是httpSecurity的配置:
private static final String SIGN_UP_URL = "/users/sign-up";
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().authorizeRequests()
.antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
JWTAuthenticationFilter扩展了UsernamePasswordAuthenticationFilter
JWTAuthorizationFilter扩展了BasicAuthenticationFilter
编辑:这是我的POST请求示例:
@PostMapping("/sign-up")
public ResponseEntity<AddUserResult> signUp(@RequestBody AddUserCommand command) {
return new ResponseEntity<>(bus.executeCommand(command), HttpStatus.CREATED);
}
英文:
I want to configure the server for authentication with username and password using JWT. I want to allow only the sign-up endpoint to be allowed publicly, the others requiring to be logged in. But apparently the sign-up endpoint still enters in the JWTAuthenticationFilter and returns 200 with no action done whatsoever.
For the rest of the endpoints it returns 403, when I would expect 401.
Below is the httpSecurity configuration:
private static final String SIGN_UP_URL = "/users/sign-up";
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().authorizeRequests()
.antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter <br/>
JWTAuthorizationFilter extends BasicAuthenticationFilter
Edit: This is how my post request looks like:
@PostMapping("/sign-up")
public ResponseEntity<AddUserResult> signUp(@RequestBody AddUserCommand command) {
return new ResponseEntity<>(bus.executeCommand(command), HttpStatus.CREATED);
}
答案1
得分: 1
你可以尝试以下方法,只需提及您想要在没有身份验证的情况下加载的注册或登录URL。通过这种方式,您将能够在没有任何身份验证的情况下访问URL。
此外,在Controller方法中,如果您不提及@PreAuthorize注解,将会很好。
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/auth/login").permitAll()
.anyRequest().authenticated();
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(new JwtTokenFilter(userDetailsService), UsernamePasswordAuthenticationFilter.class);
}
@PostMapping(value = "/signup")
public User signup(@RequestBody @Valid SignUpRequest signUpRequest) {
return userService.signup(signUpRequest)
.orElseThrow(() -> new HttpServerErrorException(HttpStatus.BAD_REQUEST, "User Already Exists"));
}
英文:
You can try the follwing , just mention the sign up or login URL that you want to be loaded without authentication . In this was you will be able to access the URL without any authentication.
Also in Controller method , it would be good If you do not mention @PreAuthorize annotation
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/auth/login").permitAll()
.anyRequest().authenticated();
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(new JwtTokenFilter(userDetailsService), UsernamePasswordAuthenticationFilter.class);
}
@PostMapping(value = "/signup")
public User signup(@RequestBody @Valid SignUpRequest signUpRequest) {
return userService.signup(signUpRequest)
.orElseThrow(() -> new HttpServerErrorException(HttpStatus.BAD_REQUEST, "User Already Exists"));
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论