英文:
Spring Security - 401 Unauthorized access
问题
我已创建一个向后端发送数据并将其持久化到数据库中的表单。
只要我在antMatcher上使用.permitAll(),这个方法就可以正常工作,但是当我尝试对其进行安全保护,只允许管理员调用(数据库中的管理员角色为ROLE_ADMIN)时,它返回一个没有消息的401未经授权访问错误。
我尝试过:
- .hasRole("ADMIN")
- .hasRole("ROLE_ADMIN")
- .hasAuthority("ADMIN")
- .hasAuthority("ROLE_ADMIN")
这些都不起作用。
我的请求如下(用于头部):
我的SecurityConfig类:
@Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(securedEnabled = true,jsr250Enabled = true,prePostEnabled = true)public class SecurityConfig extends WebSecurityConfigurerAdapter {// ... 这里是您的配置代码 ...}
我的UserDetailsServiceImpl类:
@Servicepublic class UserDetailsServiceImpl implements UserDetailsService {// ... 这里是您的服务实现代码 ...}
我的JwtAuthenticationEntryPoint类:
@Componentpublic class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {// ... 这里是您的认证入口点代码 ...}
我的JwtAuthenticationFilter类:
public class JwtAuthenticationFilter extends OncePerRequestFilter {// ... 这里是您的JWT身份验证过滤器代码 ...}
JWT令牌的有效性已经被正确检查,这不是问题的关键。任何帮助将不胜感激。
添加了UserDetailsImpl的实现:
public class UserDetailsImpl implements UserDetails {// ... 这里是您的UserDetailsImpl实现代码 ...}
登录部分的AuthenticationController:
@RestController@RequestMapping("/api/auth")public class AuthenticationController {// ... 这里是您的认证控制器的代码 ...}
如果您需要更多帮助,请随时提问。
英文:
I've created a form that sends the data to my backend, which persists it into the database 
This works well as long as I have .permitAll() on my antMatcher, but when I try to secure it so that only admins can make that call (admin role in the DB is ROLE_ADMIN), it returns a 401 Unauthorized Access with no message. I've tried
- .hasRole("ADMIN")
- .hasRole("ROLE_ADMIN")
- .hasAuthority("ADMIN")
- .hasAuthority("ROLE_ADMIN")
None of them works.
My request looks like this (posting for the headers):
My SecurityConfig class:
@Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(securedEnabled = true,jsr250Enabled = true,prePostEnabled = true)public class SecurityConfig extends WebSecurityConfigurerAdapter {@AutowiredUserDetailsServiceImpl userDetailsService;@Autowiredprivate JwtAuthenticationEntryPoint unauthorizedHandler;@Beanpublic JwtAuthenticationFilter jwtAuthenticationFilter() {return new JwtAuthenticationFilter();}@Overridepublic void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());}@Bean(BeanIds.AUTHENTICATION_MANAGER)@Overridepublic AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean();}@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}@Overrideprotected void configure(HttpSecurity http) throws Exception {http.cors().and().csrf().disable().exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers("/","/favicon.ico","/**/*.png","/**/*.gif","/**/*.svg","/**/*.jpg","/**/*.html","/**/*.css","/**/*.js").permitAll().antMatchers("/api/auth/**").permitAll().antMatchers("/api/book/**").permitAll().antMatchers("/api/author/**")// .permitAll().hasAnyRole("ROLE_ADMIN", "ADMIN", "ROLE_USER", "USER", "ROLE_ROLE_ADMIN","ROLE_ROLE_USER").anyRequest().authenticated();http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);}}
My UserDetailsServiceImpl class:
@Servicepublic class UserDetailsServiceImpl implements UserDetailsService {@AutowiredUserRepository userRepository;@Override@Transactionalpublic UserDetails loadUserByUsername(String email)throws UsernameNotFoundException {User user = userRepository.findByEmail(email);return UserDetailsImpl.create(user);}@Transactionalpublic UserDetails loadUserById(Integer id) {User user = userRepository.findById(id).orElseThrow(() -> new UsernameNotFoundException("User not found with id: " + id));return UserDetailsImpl.create(user);}}
My JwtAuthenticationEntryPoint class:
@Componentpublic class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationEntryPoint.class);@Overridepublic void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,AuthenticationException e) throws IOException, ServletException {logger.error("Unauthorized access. Message:", e.getMessage());httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, e.getMessage());}}
My JwtAuthenticationFilter:
public class JwtAuthenticationFilter extends OncePerRequestFilter {@Autowiredprivate JwtTokenProvider tokenProvider;@Autowiredprivate UserDetailsServiceImpl userDetailsService;private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class);@Overrideprotected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponsehttpServletResponse, FilterChain filterChain) throws ServletException, IOException {try {String jwt = getJwtFromRequest(httpServletRequest);if(StringUtils.hasText(jwt) && tokenProvider.validateToken(jwt)) {Integer userId = tokenProvider.getUserIdFromJWT(jwt);UserDetails userDetails = userDetailsService.loadUserById(userId);UsernamePasswordAuthenticationToken authentication = newUsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());authentication.setDetails(newWebAuthenticationDetailsSource().buildDetails(httpServletRequest));}} catch (Exception e) {logger.error("Could not set user authentication in security context", e);}filterChain.doFilter(httpServletRequest, httpServletResponse);}private String getJwtFromRequest(HttpServletRequest request) {String bearerToken = request.getHeader("Authorization");if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {return bearerToken.substring(7, bearerToken.length());}return null;}}
The JWT Token's validity is properly checked. That's not the issue at hand.
Any help is appreciated.
EDIT:
Added implementation of UserDetailsImpl:
public class UserDetailsImpl implements UserDetails {private Integer id;@JsonIgnoreprivate String email;private String name;@JsonIgnoreprivate String password;private boolean isAdmin;private Collection<? extends GrantedAuthority> authorities;public UserDetailsImpl(Integer id, String email, String name, Stringpassword, boolean isAdmin, Collection<? extends GrantedAuthority>authorities) {this.id = id;this.name = name;this.email = email;this.password = password;this.authorities = authorities;this.isAdmin = isAdmin;}public static UserDetailsImpl create(User user) {List<GrantedAuthority> authorities = user.getRoles().stream().map(role ->new SimpleGrantedAuthority(role.getName().name())).collect(Collectors.toList());boolean isAdmin = false;for(Role role: user.getRoles()) {if(RoleName.ROLE_ADMIN.equals(role.getName())) {isAdmin = true;}}return new UserDetailsImpl(user.getId(),user.getEmail(),user.getName(),user.getPassword(),isAdmin,authorities);}public Integer getId() {return id;}public String getName() {return name;}@Overridepublic String getUsername() {return email;}@Overridepublic String getPassword() {return password;}public boolean isAdmin() {return isAdmin;}@Overridepublic Collection<? extends GrantedAuthority> getAuthorities() {return authorities;}@Overridepublic boolean isAccountNonExpired() {return true;}@Overridepublic boolean isAccountNonLocked() {return true;}@Overridepublic boolean isCredentialsNonExpired() {return true;}@Overridepublic boolean isEnabled() {return true;}@Overridepublic boolean equals(Object o) {if (this == o) return true;if (o == null || getClass() != o.getClass()) return false;UserDetailsImpl that = (UserDetailsImpl) o;return Objects.equals(id, that.id);}@Overridepublic int hashCode() {return Objects.hash(id);}
Added this to check if the authorities are present after UserDetailsImpl.create(user) call:
Output:
Login part of the AuthenticationController:
答案1
得分: 1
我看到您没有更新SecurityContextHolder。无法将其放在评论中,所以我在这里写了出来。
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpServletRequest));SecurityContextHolder.getContext().setAuthentication(authentication); //这部分似乎丢失了
英文:
I see that you are not updating the SecurityContextHolder. Unable to put it in a comment, so I wrote it here.
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpServletRequest))SecurityContextHolder.getContext().setAuthentication(authentication); //this seems missing
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论