春季安全 – 401 未经授权访问

huangapple go评论88阅读模式
英文:

Spring Security - 401 Unauthorized access

问题

我已创建一个向后端发送数据并将其持久化到数据库中的表单。

只要我在antMatcher上使用.permitAll(),这个方法就可以正常工作,但是当我尝试对其进行安全保护,只允许管理员调用(数据库中的管理员角色为ROLE_ADMIN)时,它返回一个没有消息的401未经授权访问错误。

我尝试过:

  • .hasRole("ADMIN")
  • .hasRole("ROLE_ADMIN")
  • .hasAuthority("ADMIN")
  • .hasAuthority("ROLE_ADMIN")

这些都不起作用。

我的请求如下(用于头部):

春季安全 – 401 未经授权访问

我的SecurityConfig类:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
    securedEnabled = true,
    jsr250Enabled = true,
    prePostEnabled = true
)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    // ... 这里是您的配置代码 ...
}

我的UserDetailsServiceImpl类:

@Service
public class UserDetailsServiceImpl implements UserDetailsService {
    // ... 这里是您的服务实现代码 ...
}

我的JwtAuthenticationEntryPoint类:

@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
    // ... 这里是您的认证入口点代码 ...
}

我的JwtAuthenticationFilter类:

public class JwtAuthenticationFilter extends OncePerRequestFilter {
    // ... 这里是您的JWT身份验证过滤器代码 ...
}

JWT令牌的有效性已经被正确检查,这不是问题的关键。任何帮助将不胜感激。

添加了UserDetailsImpl的实现:

public class UserDetailsImpl implements UserDetails {
    // ... 这里是您的UserDetailsImpl实现代码 ...
}

登录部分的AuthenticationController:

@RestController
@RequestMapping("/api/auth")
public class AuthenticationController {
    // ... 这里是您的认证控制器的代码 ...
}

如果您需要更多帮助,请随时提问。

英文:

I've created a form that sends the data to my backend, which persists it into the database 春季安全 – 401 未经授权访问

This works well as long as I have .permitAll() on my antMatcher, but when I try to secure it so that only admins can make that call (admin role in the DB is ROLE_ADMIN), it returns a 401 Unauthorized Access with no message. I've tried

  • .hasRole("ADMIN")
  • .hasRole("ROLE_ADMIN")
  • .hasAuthority("ADMIN")
  • .hasAuthority("ROLE_ADMIN")

None of them works.
春季安全 – 401 未经授权访问

春季安全 – 401 未经授权访问

My request looks like this (posting for the headers):

春季安全 – 401 未经授权访问

My SecurityConfig class:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
    securedEnabled = true,
    jsr250Enabled = true,
    prePostEnabled = true
)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
UserDetailsServiceImpl userDetailsService;

@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;

@Bean
public JwtAuthenticationFilter jwtAuthenticationFilter() {
    return new JwtAuthenticationFilter();
}

@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}

@Bean(BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .cors()
                .and()
            .csrf()
                .disable()
            .exceptionHandling()
                .authenticationEntryPoint(unauthorizedHandler)
                .and()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
            .authorizeRequests()
                .antMatchers("/",
                    "/favicon.ico",
                    "/**/*.png",
                    "/**/*.gif",
                    "/**/*.svg",
                    "/**/*.jpg",
                    "/**/*.html",
                    "/**/*.css",
                    "/**/*.js")
                    .permitAll()
                .antMatchers("/api/auth/**")
                    .permitAll()
                .antMatchers("/api/book/**")
                    .permitAll()
                .antMatchers("/api/author/**")
//                        .permitAll()
                    .hasAnyRole("ROLE_ADMIN", "ADMIN", "ROLE_USER", "USER", "ROLE_ROLE_ADMIN", 
"ROLE_ROLE_USER")
            .anyRequest()
            .authenticated();

    http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
}

My UserDetailsServiceImpl class:

@Service
public class UserDetailsServiceImpl implements UserDetailsService {

@Autowired
UserRepository userRepository;

@Override
@Transactional
public UserDetails loadUserByUsername(String email)
        throws UsernameNotFoundException {
    User user = userRepository.findByEmail(email);

    return UserDetailsImpl.create(user);
}

@Transactional
public UserDetails loadUserById(Integer id) {
    User user = userRepository.findById(id).orElseThrow(
            () -> new UsernameNotFoundException("User not found with id: " + id)
    );

    return UserDetailsImpl.create(user);
}
}

My JwtAuthenticationEntryPoint class:

@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {

private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationEntryPoint.class);

@Override
public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, 
AuthenticationException e) throws IOException, ServletException {
    logger.error("Unauthorized access. Message:", e.getMessage());
    httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, e.getMessage());
}
}

My JwtAuthenticationFilter:

public class JwtAuthenticationFilter extends OncePerRequestFilter {

@Autowired
private JwtTokenProvider tokenProvider;

@Autowired
private UserDetailsServiceImpl userDetailsService;

private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class);


@Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse 
httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
    try {
        String jwt = getJwtFromRequest(httpServletRequest);

        if(StringUtils.hasText(jwt) && tokenProvider.validateToken(jwt)) {
            Integer userId = tokenProvider.getUserIdFromJWT(jwt);

            UserDetails userDetails = userDetailsService.loadUserById(userId);
            UsernamePasswordAuthenticationToken authentication = new 
UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());

            authentication.setDetails(new 
WebAuthenticationDetailsSource().buildDetails(httpServletRequest));
        }
    } catch (Exception e) {
        logger.error("Could not set user authentication in security context", e);
    }

    filterChain.doFilter(httpServletRequest, httpServletResponse);
}

private String getJwtFromRequest(HttpServletRequest request) {
    String bearerToken = request.getHeader("Authorization");
    if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
        return bearerToken.substring(7, bearerToken.length());
    }
    return null;
}
}

The JWT Token's validity is properly checked. That's not the issue at hand.
Any help is appreciated.

EDIT:
Added implementation of UserDetailsImpl:

public class UserDetailsImpl implements UserDetails {
private Integer id;

@JsonIgnore
private String email;

private String name;

@JsonIgnore
private String password;

private boolean isAdmin;

private Collection<? extends GrantedAuthority> authorities;

public UserDetailsImpl(Integer id, String email, String name, String 
password, boolean isAdmin, Collection<? extends GrantedAuthority> 
authorities) {
    this.id = id;
    this.name = name;
    this.email = email;
    this.password = password;
    this.authorities = authorities;
    this.isAdmin = isAdmin;
}

public static UserDetailsImpl create(User user) {
    List<GrantedAuthority> authorities = user.getRoles().stream().map(role ->
            new SimpleGrantedAuthority(role.getName().name())
    ).collect(Collectors.toList());

    boolean isAdmin = false;

    for(Role role:  user.getRoles()) {
        if(RoleName.ROLE_ADMIN.equals(role.getName())) {
            isAdmin = true;
        }
    }

    return new UserDetailsImpl(
            user.getId(),
            user.getEmail(),
            user.getName(),
            user.getPassword(),
            isAdmin,
            authorities
    );
}

public Integer getId() {
    return id;
}

public String getName() {
    return name;
}

@Override
public String getUsername() {
    return email;
}

@Override
public String getPassword() {
    return password;
}

public boolean isAdmin() {
    return isAdmin;
}

@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
    return authorities;
}

@Override
public boolean isAccountNonExpired() {
    return true;
}

@Override
public boolean isAccountNonLocked() {
    return true;
}

@Override
public boolean isCredentialsNonExpired() {
    return true;
}

@Override
public boolean isEnabled() {
    return true;
}

@Override
public boolean equals(Object o) {
    if (this == o) return true;
    if (o == null || getClass() != o.getClass()) return false;
    UserDetailsImpl that = (UserDetailsImpl) o;
    return Objects.equals(id, that.id);
}

@Override
public int hashCode() {

    return Objects.hash(id);
}

Added this to check if the authorities are present after UserDetailsImpl.create(user) call:
春季安全 – 401 未经授权访问

Output:

春季安全 – 401 未经授权访问

Login part of the AuthenticationController:

春季安全 – 401 未经授权访问

答案1

得分: 1

我看到您没有更新SecurityContextHolder。无法将其放在评论中,所以我在这里写了出来。

authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpServletRequest));
SecurityContextHolder.getContext().setAuthentication(authentication); //这部分似乎丢失了
英文:

I see that you are not updating the SecurityContextHolder. Unable to put it in a comment, so I wrote it here.

authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpServletRequest))
SecurityContextHolder.getContext().setAuthentication(authentication); //this seems missing

huangapple
  • 本文由 发表于 2020年10月19日 21:00:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/64427881.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定