英文:
Access denied after changed password with spring boot security JWT
问题
以下是要翻译的内容:
我正在为我的应用程序实现Spring Boot安全性。登录功能正常工作,但是不知何故,每当我测试更改密码功能时,它总是失败。我在数据库中检查了密码已经更新为新的HashString,但我无法使用旧密码和新密码登录。请帮忙!
这是更改密码的API:
@PutMapping("/reset-password")public ResponseEntity resetPassword(@RequestBody String password) {// 提取用户名String username = SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString();ApplicationUser applicationUser = applicationUserRepo.findByUsername(username);if (applicationUser == null) {return ResponseEntity.badRequest().body("找不到用户名");}applicationUser.setPassword(bCryptPasswordEncoder.encode(password));applicationUserRepo.save(applicationUser);Logs log = new Logs(TimeConverter.getVietnamCurrentTime(), "PASSWORD", "User", applicationUser.getUsername(), applicationUser.getUsername());logsRepo.save(log);return ResponseEntity.ok().body("密码已成功更改!");}
这是我的WebSecurityConfigurerAdapter的实现:
@EnableWebSecurity@Configurationpublic class WebSecurity extends WebSecurityConfigurerAdapter {private UserDetailsServiceImpl userDetailsService;@Autowiredprivate BCryptPasswordEncoder bCryptPasswordEncoder;public WebSecurity(UserDetailsServiceImpl userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder) {this.userDetailsService = userDetailsService;this.bCryptPasswordEncoder = bCryptPasswordEncoder;}@Overrideprotected void configure(HttpSecurity http) throws Exception {http.cors().and().csrf().disable().authorizeRequests().antMatchers(HttpMethod.POST, LOGIN_URL).permitAll()//.antMatchers("/login").permitAll().anyRequest().authenticated().and().addFilter(new JWTAuthenticationFilter(authenticationManager())).addFilter(new JWTAuthorizationFilter(authenticationManager())).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);}@Beanpublic AuthenticationFailureHandler authenticationFailureHandler() {return new CustomAuthenticationFailureHandler();}@Overridepublic void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);}@Beanpublic CorsConfigurationSource corsConfigurationSource() {final CorsConfiguration configuration = new CorsConfiguration();configuration.setAllowedOrigins(ImmutableList.of("*"));configuration.setAllowedMethods(ImmutableList.of("HEAD","GET", "POST", "PUT", "DELETE", "PATCH"));configuration.setAllowCredentials(true);configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();source.registerCorsConfiguration("/**", configuration);return source;}@Override@Beanpublic AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean();}}
AuthenticationFilter:
public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {private AuthenticationManager authenticationManager;public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {this.authenticationManager = authenticationManager;}@Overridepublic Authentication attemptAuthentication(HttpServletRequest req,HttpServletResponse res) throws AuthenticationException {try {ApplicationUser creds = new ObjectMapper().readValue(req.getInputStream(), ApplicationUser.class);return authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(creds.getUsername(),creds.getPassword(),new ArrayList<>()));} catch (IOException e) {System.out.println("出错了");throw new RuntimeException(e);}}@Overrideprotected void successfulAuthentication(HttpServletRequest req,HttpServletResponse res,FilterChain chain,Authentication auth) {String token = JWT.create().withSubject(((User) auth.getPrincipal()).getUsername()).withExpiresAt(new Date(System.currentTimeMillis() + EXPIRATION_TIME)).sign(HMAC512(SECRET.getBytes()));res.addHeader(HEADER_STRING, TOKEN_PREFIX + token);res.addHeader("Access-Control-Expose-Headers","*");}@Overrideprotected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed)throws IOException, ServletException {response.getWriter().write("出错了");super.unsuccessfulAuthentication(request, response, failed);}}
英文:
I'm implementing spring boot security for my application. The login function works fine, but somehow whenever I test the change-password function, it's always failed, I checked in the database the password has been updated with the new HashString, but I cannot login with both old-password and new-password. Please help !
Here is the change-password API
@PutMapping("/reset-password")public ResponseEntity resetPassword(@RequestBody String password){//extract user nameString username = SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString();ApplicationUser applicationUser = applicationUserRepo.findByUsername(username);if(applicationUser == null ){return ResponseEntity.badRequest().body("Could not find UserName");}applicationUser.setPassword(bCryptPasswordEncoder.encode(password));applicationUserRepo.save(applicationUser);Logs log = new Logs (TimeConverter.getVietnamCurrentTime(),"PASSWORD", "User", applicationUser.getUsername(), applicationUser.getUsername() );logsRepo.save(log);return ResponseEntity.ok().body("Password changed successfully!");}
Here is my implementation of WebSecurityConfigurerAdapter
@EnableWebSecurity@Configurationpublic class WebSecurity extends WebSecurityConfigurerAdapter {private UserDetailsServiceImpl userDetailsService;@Autowiredprivate BCryptPasswordEncoder bCryptPasswordEncoder;public WebSecurity(UserDetailsServiceImpl userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder) {this.userDetailsService = userDetailsService;this.bCryptPasswordEncoder = bCryptPasswordEncoder;}@Overrideprotected void configure(HttpSecurity http) throws Exception {http.cors().and().csrf().disable().authorizeRequests().antMatchers(HttpMethod.POST, LOGIN_URL).permitAll()//.antMatchers("/login").permitAll().anyRequest().authenticated().and().addFilter(new JWTAuthenticationFilter(authenticationManager())).addFilter(new JWTAuthorizationFilter(authenticationManager())).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);}@Beanpublic AuthenticationFailureHandler authenticationFailureHandler() {return new CustomAuthenticationFailureHandler();}@Overridepublic void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);}@Beanpublic CorsConfigurationSource corsConfigurationSource() {final CorsConfiguration configuration = new CorsConfiguration();configuration.setAllowedOrigins(ImmutableList.of("*"));configuration.setAllowedMethods(ImmutableList.of("HEAD","GET", "POST", "PUT", "DELETE", "PATCH"));configuration.setAllowCredentials(true);configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();source.registerCorsConfiguration("/**", configuration);return source;}@Override@Beanpublic AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean();}}
AuthenticationFilter
public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {private AuthenticationManager authenticationManager;public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {this.authenticationManager = authenticationManager;}@Overridepublic Authentication attemptAuthentication(HttpServletRequest req,HttpServletResponse res) throws AuthenticationException {try {ApplicationUser creds = new ObjectMapper().readValue(req.getInputStream(), ApplicationUser.class);return authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(creds.getUsername(),creds.getPassword(),new ArrayList<>()));} catch (IOException e) {System.out.println("fucked");throw new RuntimeException(e);}}@Overrideprotected void successfulAuthentication(HttpServletRequest req,HttpServletResponse res,FilterChain chain,Authentication auth) {String token = JWT.create().withSubject(((User) auth.getPrincipal()).getUsername()).withExpiresAt(new Date(System.currentTimeMillis() + EXPIRATION_TIME)).sign(HMAC512(SECRET.getBytes()));res.addHeader(HEADER_STRING, TOKEN_PREFIX + token);res.addHeader("Access-Control-Expose-Headers","*");}@Overrideprotected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed)throws IOException, ServletException {response.getWriter().write("blalfaf");super.unsuccessfulAuthentication(request, response, failed);}}
答案1
得分: 1
尝试使用:
addFilterBefore(new JWTAuthenticationFilter(authenticationManager(), UsernamePasswordAuthenticationFilter.class)
而不是仅仅使用:
addFilter(....
在你的 WebSecurity.configure(..... 中。这将会把你自己的过滤器放在原始的 UsernamePasswordAuthenticationFilter 之前。也许你的过滤器是排在最后的,导致登录在它之前失败。
英文:
Try using:
addFilterBefore(new JWTAuthenticationFilter(authenticationManager(), UsernamePasswordAuthenticationFilter.class)
instead of just
addFilter(....
in your WebSecurity.configure(.....
This will put your own filter before the original UsernamePasswordAuthenticationFilter. Maybe your filter is last in line and the login is failing before.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论