我正在开发一个微服务,以启用匿名JWT令牌的验证。在验证了不同属性(如颁发者、过期时间等(的jwt令牌后,我需要通过执行-在SecurityContext中设置AnonymousAuthenticationToken
SecurityContextHolder.getContext((.setAuthentication(anonymousAuthenticationToken(;
此行将在我的筛选器类中,该类正在扩展org.springframework.web.filter.OncePerRequestFilter.
AnonymousAuthenticationToken的构造函数接受以下三个参数:-
字符串键,对象主体,集合<?扩展GrantedAuthority>当局
我知道委托人是代币的发行人。如何获取密钥和权限的值?此外,可以扩展OncePerRequestFilter吗?还是应该扩展其他过滤器?
AnonymousAuthenticationToken类代码表示:
/**
* Constructor.
*
* @param key to identify if this object made by an authorised client
* @param principal the principal (typically a <code>UserDetails</code>)
* @param authorities the authorities granted to the principal
* @throws IllegalArgumentException if a <code>null</code> was passed
*/
public AnonymousAuthenticationToken(String key, Object principal,
Collection<? extends GrantedAuthority> authorities) {
this(extractKeyHash(key), principal, authorities);
}
对于每个用户,都会定义一些角色。您可以从这些角色生成权限:
private Collection<? extends GrantedAuthority> translate(List<Roles> roles) {
List<GrantedAuthority> authorities = new ArrayList<>();
if(!CollectionUtils.isEmpty(roles)){
for (Roles role : roles) {
String name = "ROLE_"+role.getRoleId().toUpperCase();
authorities.add(new SimpleGrantedAuthority(name));
}
}
return authorities;
}
"键";基本上是为您的应用程序定义的客户端密钥,以获得识别的