代码之家  ›  专栏  ›  技术社区  ›  scorpion

如何使用不同的AuthenticationProvider实现筛选器SPRING安全

jwt spring-security spring
  •  -2
  • scorpion  · 技术社区  · 7 年前

    在我的安全层中,我使用了两个过滤器:AjaxAuthenticationFilter和JWTAuthenticationFilter(它们都扩展了AbstractAuthenticationProcessingFilter)。对于第一个,我只想使用OAJAXAuthenticationProvider,对于第二个,我只想使用JwtAuthenticationProvider。

    这是我的问题的主要原因,我无法将它们分开(authenticationProviders)。

    我尝试过此代码,但不起作用: 

    @Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    public static final String AUTHENTICATION_HEADER_NAME = "Authorization";
    public static final String AUTHENTICATION_URL = "/api/auth/login";
    public static final String REFRESH_TOKEN_URL = "/api/auth/token";
    public static final String API_ROOT_URL = "/api/**";


    @Autowired private RestAuthenticationEntryPoint authenticationEntryPoint;
    @Autowired private AjaxAwareAuthenticationSuccessHandler successHandler;
    @Autowired private AjaxAwareAuthenticationFailureHandler failureHandler;
    @Autowired private AjaxAuthenticationProvider ajaxAuthenticationProvider;
    @Autowired private JwtAuthenticationProvider jwtAuthenticationProvider;

    @Autowired private AuthenticationManager authenticationManager;
    @Autowired private ObjectMapper objectMapper;

    protected AjaxLoginProcessingFilter buildAjaxLoginProcessingFilter(String loginEntryPoint) throws Exception {
        AjaxLoginProcessingFilter filter = 
                new AjaxLoginProcessingFilter(loginEntryPoint, successHandler, failureHandler, objectMapper);
        filter.setAuthenticationManager(authenticationManager);
        return filter;
    }

    protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter(List<String> pathsToSkip, String pattern) {
        SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, pattern);
        JwtTokenAuthenticationProcessingFilter filter = 
                new JwtTokenAuthenticationProcessingFilter(failureHandler, matcher);
        filter.setAuthenticationManager(this.authenticationManager);
        return filter;
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }



    @Override
    protected void configure(HttpSecurity http) throws Exception {
        List<String> permitAllEndpointsList = Arrays.asList(
            AUTHENTICATION_URL,
            REFRESH_TOKEN_URL,
            "/console"
        );

        http.
            csrf().disable()
            .exceptionHandling()
            .authenticationEntryPoint(this.authenticationEntryPoint)

        .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

        .and()
            .authorizeRequests()
            .antMatchers(permitAllEndpointsList.toArray(new String[permitAllEndpointsList.size()]))
            .permitAll()
        .and()
            .authorizeRequests()
            .antMatchers(API_ROOT_URL).authenticated(); 
    }

    @Configuration
    @Order(1)
    public class AjaxWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http
                .csrf().disable()
                .addFilterBefore(buildAjaxLoginProcessingFilter(AUTHENTICATION_URL), UsernamePasswordAuthenticationFilter.class)
                .authenticationProvider(ajaxAuthenticationProvider);

        }

    }

    @Configuration
    @Order(2)
    public class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            List<String> permitAllEndpointsList = Arrays.asList(
                    AUTHENTICATION_URL,
                    REFRESH_TOKEN_URL,
                    "/console"
                );

            http
                .csrf().disable()
                .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(permitAllEndpointsList, API_ROOT_URL),
                    UsernamePasswordAuthenticationFilter.class)
                .authenticationProvider(jwtAuthenticationProvider);

        }

    }

}
    1 回复  |  直到 7 年前
        1
  •  0
  •   scorpion    7 年前

    谢谢你的帮助。我的代码完全错了。错误的加油站和方法。

    我解决了将适当的authManager传递到目标配置的问题(仅限于概要): 

     @Configuration
    @Order(1)
    public class AjaxWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            // TODO Auto-generated method stub
            auth.authenticationProvider(ajaxAuthenticationProvider);
        }

    }

@Configuration
public class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            // TODO Auto-generated method stub
            auth.authenticationProvider(jwtAuthenticationProvider);
       }
}

    在订单(1)配置中,我必须定义antMacher强制: 

    .and()
                    .antMatcher("/api/auth/**")
                    .authorizeRequests()
                    .antMatchers(AUTHENTICATION_URL)
                    .permitAll()

    在最后一个配置中,我必须为“/**”定义antMatchers 

    .authorizeRequests()
        .antMatchers("/**").authenticated()

    最终结果: 

    @EnableWebSecurity
public class  WebSecurityConfig {

    public static final String AUTHENTICATION_HEADER_NAME = "Authorization";
    public static final String AUTHENTICATION_URL = "/api/auth/login";
    public static final String REFRESH_TOKEN_URL = "/api/auth/token";
    public static final String API_ROOT_URL = "/api/**";


    @Autowired private RestAuthenticationEntryPoint authenticationEntryPoint;
    @Autowired private AjaxAwareAuthenticationSuccessHandler successHandler;
    @Autowired private AjaxAwareAuthenticationFailureHandler failureHandler;
    @Autowired private AjaxAuthenticationProvider ajaxAuthenticationProvider;
    @Autowired private JwtAuthenticationProvider jwtAuthenticationProvider;

    @Autowired private ObjectMapper objectMapper;

    protected  AjaxLoginProcessingFilter buildAjaxLoginProcessingFilter(String loginEntryPoint,
            AuthenticationManager  authManager) throws Exception {
        AjaxLoginProcessingFilter filter = 
                new AjaxLoginProcessingFilter(loginEntryPoint, successHandler, failureHandler, objectMapper);
        filter.setAuthenticationManager(authManager);
        return filter;
    }

    protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter(String urlForFilter,
            AuthenticationManager authManager) {
        //SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, pattern);
        JwtTokenAuthenticationProcessingFilter filter = 
                new JwtTokenAuthenticationProcessingFilter(failureHandler, urlForFilter);
        filter.setAuthenticationManager(authManager);
        return filter;
    }

    @Configuration
    @Order(1)
    public class AjaxWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            // TODO Auto-generated method stub
            auth.authenticationProvider(ajaxAuthenticationProvider);
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {

                http.
                    csrf().disable()
                    .exceptionHandling()
                    .authenticationEntryPoint(authenticationEntryPoint)

                .and()
                    .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

                .and()
                    .antMatcher("/api/auth/**")
                    .authorizeRequests()
                    .antMatchers(AUTHENTICATION_URL)
                    .permitAll()


                .and()
                    .addFilterBefore(buildAjaxLoginProcessingFilter(AUTHENTICATION_URL, super.authenticationManager()), UsernamePasswordAuthenticationFilter.class)
                    .authenticationProvider(ajaxAuthenticationProvider);

        }

    }

    @Configuration
    public class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            // TODO Auto-generated method stub
            auth.authenticationProvider(jwtAuthenticationProvider);
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/**").authenticated()

                .and()
                .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(API_ROOT_URL, super.authenticationManager()),
                    UsernamePasswordAuthenticationFilter.class)
                .authenticationProvider(jwtAuthenticationProvider);

        }

    }

}
    推荐文章
    Never_se  ·  Java Spring requestMatchers允许经过身份验证的路径中的路径
    1 年前
    Yossi R  ·  Spring批处理存储库ItemReader HEAP SIZE问题
    1 年前
    Prince Asokan  ·  无法解决Spring boot 1.5.x到2.x.x的升级问题
    2 年前
    Hermes Chavez  ·  如何将springboot rest端点转换为spring webflux反应端点
    2 年前
    AntonBoarf  ·  为什么要将实例变量指定给局部变量?
    2 年前
    user9137963  ·  spring boot应用程序可在intellij上使用,但不能与一起使用。jar文件
    2 年前
    Sampeteq  ·  用户登录的端点(Spring Security)
    2 年前
    Java Dev Beginner  ·  使用“%”条件像sql一样搜索本机sql
    2 年前
    Peter Penzov  ·  需要“org”类型的bean。springframework。云netflix。带子找不到SpringClientFactory
    2 年前
    user1610362  ·  Azure ServiceBus JMS库是否支持托管身份?
    2 年前
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号