标准:
- 未经身份验证的用户请求令牌/oauth/token
- 未经身份验证的用户还可以在/swagger-ui.html 访问Swagger Docs
- 所有其他端点都应保护,即需要有效的令牌才能使用。
我尝试的是:
securityConfig.java-可能是问题的来源
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthenticationProvider customAuthenticationProvider;
@Override
protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder.authenticationProvider(customAuthenticationProvider);
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources/**", "/configuration/**", "/swagger-ui.html", "/webjars/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.antMatcher("/oauth/token")
.addFilterBefore(new RESTAuthenticationTokenProcessingFilter(), BasicAuthenticationFilter.class)
.authorizeRequests()
.antMatchers("/**").permitAll()
.anyRequest().authenticated();
}
}
customAuthentication provider.java
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
final
UserService userService;
final
TokenService tokenService;
@SuppressWarnings("SpringJavaAutowiredMembersInspection")
@Autowired
public CustomAuthenticationProvider(TokenService tokenService, UserService userService) {
this.tokenService = tokenService;
this.userService = userService;
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = authentication.getName();
Object credentials = authentication.getCredentials();
if (!(credentials instanceof String)) return null;
String password = credentials.toString();
// TODO implement hashing and salting of passwords
UserDetails user = userService.loadUserByUsername(username);
if (!user.getPassword().equals(password)) throw new NotAuthorisedException(AuthorisationFailureTypes.INVALID_REQUEST);
TokenModel tokenModel = tokenService.allocateToken(user.getUsername());
authentication.setAuthenticated(true);
return authentication;
}
@Override
public boolean supports(Class<?> authentication) {
return TokenRequestModel.class.isAssignableFrom(authentication);
}
}
RestauthenticationTokenProcessingFilter.java
@Component
public class RESTAuthenticationTokenProcessingFilter extends GenericFilterBean {
public RESTAuthenticationTokenProcessingFilter() {
}
public RESTAuthenticationTokenProcessingFilter(UserService userService, String restUser) {
this.userService = userService;
this.REST_USER = restUser;
}
@Autowired
private TokenService tokenService;
private UserService userService;
private String REST_USER;
private Logger log = LoggerFactory.getLogger(this.getClass());
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = getAsHttpRequest(request);
String authToken = extractAuthTokenFromRequest(httpRequest);
if (authToken == null) throw new NotAuthorisedException(AuthorisationFailureTypes.INVALID_REQUEST);
String[] parts = authToken.split(" ");
if (parts.length == 2) {
String tokenKey = parts[1];
if (validateTokenKey(tokenKey)) {
TokenModel token = tokenService.getTokenById(tokenKey);
//List<String> allowedIPs = new Gson().fromJson(token.getAllowedIP(), new TypeToken<ArrayList<String>>() {}.getType());
//if (isAllowIP(allowedIPs, request.getRemoteAddr())) {
if (token != null) {
if (token.getExpires_in() > 0) {
UserDetails userDetails = userService.loadUserByUsername(REST_USER);
TokenRequestModel authentication = new TokenRequestModel(null, null, userDetails.getUsername(), userDetails.getPassword());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpRequest));
SecurityContextHolder.getContext().setAuthentication(authentication);
log.info("Authenticated " + token.getAccess_token() + " via IP: " + request.getRemoteAddr());
} else {
log.info("Unable to authenticate the token: " + authToken + ". Incorrect secret or token is expired");
throw new NotAuthorisedException(AuthorisationFailureTypes.INVALID_REQUEST);
}
//} else {
//log.info("Unable to authenticate the token: " + authToken + ". IP - " + request.getRemoteAddr() + " is not allowed");l
}
}
} else {
log.info("Unable to authenticate the token: " + authToken + ". Key is broken");
throw new NotAuthorisedException(AuthorisationFailureTypes.INVALID_REQUEST);
}
chain.doFilter(request, response);
}
private boolean validateTokenKey(String tokenKey) {
String[] parts = tokenKey.split("-");
return parts.length == 5;
}
private HttpServletRequest getAsHttpRequest(ServletRequest request) {
if (!(request instanceof HttpServletRequest)) {
throw new RuntimeException("Expecting an HTTP request");
}
return (HttpServletRequest) request;
}
private String extractAuthTokenFromRequest(HttpServletRequest httpRequest) {
// Get token from header
String authToken = httpRequest.getHeader("authorisation");
// If token not found get it from request parameter
if (authToken == null) {
authToken = httpRequest.getParameter("access_token");
}
return authToken;
}
}
这是任何用户以"授权"标题能够访问所有资源的用户的结果。没有授权标题的用户无法要求使用令牌。
我花了很多时间试图从其他示例中汲取灵感,并从HTTPSECURITY类及其相关类中读取文档,但是我不明白如何实现这种配置。
任何帮助将不胜感激!
编辑 -
由于项目的性质,我不得不遵循一项协议,该协议涉及OAuth2的版本略有减少。不幸的是,这意味着要实施弹簧安全中已经提供的许多内容(即,我无法使用Spring-Security-Oauth2或Spring Security 5(。满足我的特定需求。我非常感谢您会有的建议。
我从教程中找到了一个解决方案,其中涉及实现我自己的整个授权过程版本。但是它有效!
我的SecurityConfig.java类变成:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final AuthenticationSuccessHandler loginSuccessfulHandler;
private final AuthenticationFailureHandler loginFailureHandler;
private final AccessDeniedHandler customAccessDeniedHandler;
private final AuthenticationEntryPoint customAuthenticationEntryPoint;
@Autowired
public SecurityConfig(AuthenticationSuccessHandler loginSuccessfulHandler, AuthenticationFailureHandler loginFailureHandler, AccessDeniedHandler customAccessDeniedHandler, AuthenticationEntryPoint customAuthenticationEntryPoint) {
this.loginSuccessfulHandler = loginSuccessfulHandler;
this.loginFailureHandler = loginFailureHandler;
this.customAccessDeniedHandler = customAccessDeniedHandler;
this.customAuthenticationEntryPoint = customAuthenticationEntryPoint;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("password").roles("USER")
.and()
.withUser("admin").password("password").roles("ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable() // disable CSRF for this application
.formLogin() // Using form based login instead of Basic Authentication
.loginProcessingUrl("/oauth/token") // Endpoint which will process the authentication request. This is where we will post our credentials to authenticate
.successHandler(loginSuccessfulHandler)
.failureHandler(loginFailureHandler)
.and()
.authorizeRequests()
.antMatchers("/oauth/token").permitAll() // Enabling URL to be accessed by all users (even un-authenticated)
.antMatchers("/swagger-ui.html").permitAll()
//.antMatchers("/secure/admin").access("hasRole('ADMIN')") // Configures specified URL to be accessed with user having role as ADMIN
.anyRequest().authenticated() // Any resources not mentioned above needs to be authenticated
.and()
.exceptionHandling().accessDeniedHandler(customAccessDeniedHandler)
.authenticationEntryPoint(customAuthenticationEntryPoint)
.and()
.anonymous().disable(); // Disables anonymous authentication with anonymous role.
}
,因此我必须通过暗示现有界面来实现登录(成功/失败(处理程序等。现在,我只需要实现自己的AuthenticationMangager而不是当前使用的内存配置。
@dur感谢您的帮助!:(