我需要用Google OAuth2保护一些端点,并使用API密钥保护一些其他端点。
在我将ApiKeyFilter添加到AuthConfig之前,它按预期工作。然而,当我添加过滤器时,我发现"/secured-with-api-key/**"和"/non-secured/**"按预期工作,但"/secured/**"即使没有JWT令牌也可以访问。
这是ApiKeyAuthFilter:
public class ApiKeyAuthFilter extends AbstractPreAuthenticatedProcessingFilter {
private static final Logger LOG = LoggerFactory.getLogger(ApiKeyAuthFilter.class);
private final String apiKeyHeaderName;
private final String timestampHeaderName;
private final String signatureHeaderName;
public ApiKeyAuthFilter(String apiKeyHeaderName, String timestampHeaderName, String signatureHeaderName) {
this.apiKeyHeaderName = apiKeyHeaderName;
this.timestampHeaderName = timestampHeaderName;
this.signatureHeaderName = signatureHeaderName;
}
@Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
String apiKey = request.getHeader(apiKeyHeaderName);
String timestamp = request.getHeader(timestampHeaderName);
String signature = request.getHeader(signatureHeaderName);
return new AuthPrincipal(apiKey, timestamp, signature);
}
@Override
protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
// No creds when using API key
return null;
}
这是SimpleAuthenticationManager:
@Component
public class SimpleAuthenticationManager implements AuthenticationManager {
private static final Logger LOG = LoggerFactory.getLogger(SimpleAuthenticationManager.class);
@Autowired
private ApiKeysDatabase apiKeysDatabase;
@Autowired
private TokenVerifier tokenVerifier;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
AuthPrincipal principal = (AuthPrincipal) authentication.getPrincipal();
if (principal.getApikey() == null || principal.getTimestamp() == null || principal.getSignature() == null) {
throw new BadCredentialsException("The API_KEY/timestamp/signature Header is missing.");
}
if (!apiKeysDatabase.isValidKey(principal.getApikey())) {
throw new BadCredentialsException("The API key was not found or not the expected value.");
}
if (!tokenVerifier.isTokenAuthorized(principal)) {
throw new BadCredentialsException("The signature is invalid");
}
authentication.setAuthenticated(true);
return authentication;
}
}
这是AuthConfig:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AuthConfig extends WebSecurityConfigurerAdapter {
private static final String API_KEY_HEADER_NAME = "API_KEY";
private static final String TIMESTAMP_HEADER_NAME = "timestamp";
private static final String SIGNATURE_HEADER_NAME = "signature";
@Autowired
private SimpleAuthenticationManager simpleAuthenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
ApiKeyAuthFilter filter = new ApiKeyAuthFilter(API_KEY_HEADER_NAME, TIMESTAMP_HEADER_NAME, SIGNATURE_HEADER_NAME);
filter.setAuthenticationManager(simpleAuthenticationManager);
http.antMatcher("/secured/**")
.authorizeRequests()
.antMatchers("/secured/**")
.fullyAuthenticated();
http.antMatcher("/non-secured/**")
.authorizeRequests()
.antMatchers("/non-secured/**")
.permitAll();
http.antMatcher("/secured-with-api-key/**")
.addFilter(filter)
.authorizeRequests()
.antMatchers("/secured-with-api-key/**")
.authenticated();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.cors().and().csrf().disable();
http.oauth2ResourceServer().jwt();
}
}
我期望"/secured/**"需要JWT访问,"/secured-with-api-key/**"需要API密钥访问,"/non-secured/**"可以被任何人访问。
使用两个SecurityFilterChain@Beans:一个具有资源服务器配置(OAuth2,使用承载访问令牌进行保护),另一个用于API密钥。不要忘记订购这两种,并限制第一个装载的securityMatcher。
例如,使用专用于API-key的过滤器链(所有以/secured-with-api-key/开头的路由)和使用OAuth2保护的默认过滤器链(所有不匹配先前过滤器链的路由):
@Order(Ordered.HIGHEST_PRECEDENCE)
@Bean
SecurityFilterChain apiKeyFilterChain(HttpSecurity http) {
http.securityMatcher(new AntPathRequestMatcher("/secured-with-api-key/**"));
// more API key security conf
return http.build();
}
@Bean
SecurityFilterChain defaultFilterChain(HttpSecurity http) {
http.oauth2ResourceServer().jwt();
// resource-server security conf
return http.build();
}