spring security的permitAll()在JWT认证过滤器中不起作用。

huangapple
go评论217阅读模式
英文:

spring security permitAll() not working for JWT Authentication filter

问题

问题出在使用了自定义的JWT身份验证过滤器的应用程序上,该过滤器扩展了UsernamePasswordAuthenticationFilter,该过滤器接受用户凭据并返回一个长期有效的JWT。

问题似乎出在permitAll()上,它应该绕过自定义的授权过滤器。然而,在调试模式下,我可以看到首先调用了自定义的JwtAuthorizationFilter而不是自定义的JwtAuthenticationFilter过滤器,这最终导致了403禁止访问的响应。

请注意.antMatchers(HttpMethod.POST, "/login").permitAll()这一行。由于在用户尚未登录时尚未生成JWT,因此应该可以访问/login端点而无需JWT。

以下是您的代码片段:

  1. // JwtAuthenticationFilter.java
  2. public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
  3.     // ...
  4. }
  6. // JwtAuthorizationFilter.java
  7. public class JwtAuthorizationFilter extends BasicAuthenticationFilter {
  8.     // ...
  9. }
  11. // SecurityConfiguration.java
  12. @Configuration
  13. @EnableWebSecurity
  14. public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
  15.     // ...
  16. }

请求和响应的截图没有完整显示,所以如果您需要关于问题的更多信息,请提供完整的请求和响应内容。

英文:

The issue is with the app uses custom JWT authentication filter which extends UsernamePasswordAuthenticationFilter which accepts user credentials and generates a long-lived JWT in return.

The issue seems to be with permitAll() which should bypass custom Authorization filter.However in debug mode I could see call to custom JwtAuthorizationFilter first instead of custom JwtAuthenticationFilter Filter which eventually results with 403 forbidden Access denied response.

Note the .antMatchers(HttpMethod.POST, "/login").permitAll() line. /login endpoint should be accessible without JWT since the JWT has not yet been generated when the user has not yet logged in.

Below is my code

> JwtAuthenticationFilter.java

  1. public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
  2. 	//
  3. 	private AuthenticationManager authenticationManager;
  5. 	private final static UrlPathHelper urlPathHelper = new UrlPathHelper();
  7. 	public JwtAuthenticationFilter(AuthenticationManager authenticationManager) {
  8. 		this.authenticationManager = authenticationManager;
  9. 		setFilterProcessesUrl("/login");
  10. 	}
  12. 	/**
  13. 	 * Trigger when we issue POST request to login / we also need to pass in
  14. 	 * {"username: " username, "password": password} in the request body
  15. 	 */
  16. 	@Override
  17. 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
  18. 			throws AuthenticationException {
  20. 		// Grab credentials and map them to login viewmodel
  22. 		LoginViewModel credentials = null;
  24. 		try {
  25. 			credentials = new ObjectMapper().readValue(request.getInputStream(), LoginViewModel.class);
  26. 		} catch (IOException e) {
  27. 			e.printStackTrace();
  28. 		}
  30. 		// Create login token
  31. 		UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(
  32. 				credentials.getUsername(), credentials.getPassword(), new ArrayList<>());
  34. 		// Authenciate user
  35. 		Authentication auth = authenticationManager.authenticate(authenticationToken);
  37. 		return auth;
  38. 	}
  40. 	@Override
  41. 	protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
  42. 			Authentication authResult) throws IOException, ServletException {
  43. 		// Grab principal
  44. 		UserPrincipal principal = (UserPrincipal) authResult.getPrincipal();
  46. 		// Create JWT Token
  47. 		String token = JWT.create().withSubject(principal.getUsername())
  48. 				.withExpiresAt(new Date(System.currentTimeMillis() + JwtProperties.EXPIRATION_TIME))
  49. 				.sign(HMAC512(JwtProperties.SECRET.getBytes()));
  51. 		// add token in response
  52. 		response.addHeader(JwtProperties.HEADER_STRING, JwtProperties.TOKEN_PREFIX + token);
  53. 	}
  55. 	@Override
  56. 	protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
  57. 			AuthenticationException failed) throws IOException, ServletException {
  58. 		logger.debug("failed authentication while attempting to access "
  59. 				+ urlPathHelper.getPathWithinApplication((HttpServletRequest) request));
  61. 		// Add more descriptive message
  62. 		response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication Failed");
  63. 	}
  65. }

> JwtAuthorizationFilter.java

  1. public class JwtAuthorizationFilter extends BasicAuthenticationFilter {
  3.     private UserRepository userRepository;
  5.     public JwtAuthorizationFilter(AuthenticationManager authenticationManager, UserRepository userRepository) {
  6.         super(authenticationManager);
  7.         this.userRepository = userRepository;
  8.     }
  10.     @Override
  11.     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
  13.         //Read the Authorization header, where the JWT token should be
  14.         String header = request.getHeader(JwtProperties.HEADER_STRING);
  16.         //If header does not contain BEARER or is null delegate to Spring impl and exit
  17.         if (header == null || !header.startsWith(JwtProperties.TOKEN_PREFIX)) {
  18.             chain.doFilter(request, response);
  19.             return;
  20.         }
  23.         // If header is present, try grab user principal from db and perform authorization
  24.         Authentication authentication = getUsernamePasswordAuthentication(request);
  25.         SecurityContextHolder.getContext().setAuthentication(authentication);
  27.         // Continue filter execution
  28.         chain.doFilter(request, response);
  29.     }
  31.     private Authentication getUsernamePasswordAuthentication(HttpServletRequest request){
  32.         String token = request.getHeader(JwtProperties.HEADER_STRING)
  33.                 .replace(JwtProperties.TOKEN_PREFIX, "");
  35.         if(token !=null){
  36.             //parse the token validate it
  37.             String userName = JWT.require(Algorithm.HMAC512(JwtProperties.SECRET.getBytes()))
  38.                     .build()
  39.                     .verify(token)
  40.                     .getSubject();
  41.             // Search in the DB if we find the user by token subject(username)
  42.             // If so, then grab user details and create auth token using username, pass, authorities/roles
  44.             if(userName != null){
  45.                 User user = userRepository.findByUsername(userName);
  46.                 UserPrincipal principal = new UserPrincipal(user);
  47.                 UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userName, null, principal.getAuthorities());
  48.                 return authenticationToken;
  49.             }
  50.             return null;
  51.         }
  52.         return null;
  53.     }
  54. }

> SecurityConfiguration.java

  1. Configuration
  2. @EnableWebSecurity
  3. public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
  5. 	private UserPrincipalDetailsService userPrincipalDetailsService;
  6. 	private UserRepository userRepository;
  8. 	public SecurityConfiguration(UserPrincipalDetailsService userPrincipalDetailsService,
  9. 			UserRepository userRepository) {
  10. 		this.userPrincipalDetailsService = userPrincipalDetailsService;
  11. 		this.userRepository = userRepository;
  12. 	}
  14. 	@Override
  15. 	protected void configure(AuthenticationManagerBuilder auth) {
  16. 		auth.authenticationProvider(authenticationProvider());
  17. 	}
  19. 	@Override
  20. 	protected void configure(HttpSecurity http) throws Exception {
  21. 		http
  22. 				// remove csrf state in session because in jwt do not need them
  23. 				.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
  24. 				.authorizeRequests().antMatchers(HttpMethod.POST, "/login").permitAll()
  25. 				.antMatchers("/api/public/management/*").hasRole("MANAGER").antMatchers("/api/public/admin/*")
  26. 				.hasRole("ADMIN").anyRequest().authenticated().and()
  27. 				// add jwt filters (1. authentication, 2. authorization_)
  28. 				.addFilter(new JwtAuthenticationFilter(authenticationManager()))
  29. 				.addFilter(new JwtAuthorizationFilter(authenticationManager(), this.userRepository));
  30. 		// configure access rules
  32. 	}
  34. 	@Bean
  35. 	DaoAuthenticationProvider authenticationProvider() {
  36. 		DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
  37. 		daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
  38. 		daoAuthenticationProvider.setUserDetailsService((UserDetailsService) this.userPrincipalDetailsService);
  40. 		return daoAuthenticationProvider;
  41. 	}
  43. 	@Bean
  44. 	PasswordEncoder passwordEncoder() {
  45. 		return new BCryptPasswordEncoder();
  46. 	}
  48. }

Request,Response

spring security的permitAll()在JWT认证过滤器中不起作用。

Can someone suggest whats wrong here..Appreciate your help..Thanks in advance..!!!

答案1

得分: 1

似乎你的路径是错误的。当你查看你的请求体时,你会发现路径显示为:/login%0A。这看起来你的URL末尾多了一个额外的字符。尝试在Postman中重新编写URL。

英文:

It seems that your path is wrong. When you look at your body you can see that the path shows following: /login%0A. This seems that you have an extra character at the end of your URL. Just try to rewrite the URL in Postman.

答案2

得分: 1

请考虑使用BasicAuthenticationFilter中的shouldNotFilter方法。它继承自OncePerRequestFilter,因此您可以在过滤器类中按如下方式使用:

  1. @Override
  2. protected boolean shouldNotFilter(HttpServletRequest request) {
  3.     // 在此处编写代码
  4. }
英文:

please consider to use shouldNotFilter method from BasicAuthenticationFilter. It extends OncePerRequestFilter so you can use it in filtering class as below:

  1. @Override
  2. protected boolean shouldNotFilter(HttpServletRequest request) {
  3.        // code here
  4. }
  6. </details>

huangapple
  • 本文由 发表于 2020年10月5日 15:02:33
  • 转载请务必保留本文链接:https://go.coder-hub.com/64203795.html
  • java
  • jwt
  • spring-boot
  • spring-security
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定