在我的安全层中,我使用了两个过滤器:AjaxAuthenticationFilter 和 JWTAuthenticationFilter(它们都扩展了 AbstractAuthenticationProcessingFilter(。对于第一个,我只想使用oAjaxAuhtenticationProvider,对于第二个,我只想使用JwtAuthenticationProvider。
这是我的问题的主要原因,我无法将它们分开(身份验证提供程序(。
我试过这段代码,但不起作用:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
public static final String AUTHENTICATION_HEADER_NAME = "Authorization";
public static final String AUTHENTICATION_URL = "/api/auth/login";
public static final String REFRESH_TOKEN_URL = "/api/auth/token";
public static final String API_ROOT_URL = "/api/**";
@Autowired private RestAuthenticationEntryPoint authenticationEntryPoint;
@Autowired private AjaxAwareAuthenticationSuccessHandler successHandler;
@Autowired private AjaxAwareAuthenticationFailureHandler failureHandler;
@Autowired private AjaxAuthenticationProvider ajaxAuthenticationProvider;
@Autowired private JwtAuthenticationProvider jwtAuthenticationProvider;
@Autowired private AuthenticationManager authenticationManager;
@Autowired private ObjectMapper objectMapper;
protected AjaxLoginProcessingFilter buildAjaxLoginProcessingFilter(String loginEntryPoint) throws Exception {
AjaxLoginProcessingFilter filter =
new AjaxLoginProcessingFilter(loginEntryPoint, successHandler, failureHandler, objectMapper);
filter.setAuthenticationManager(authenticationManager);
return filter;
}
protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter(List<String> pathsToSkip, String pattern) {
SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, pattern);
JwtTokenAuthenticationProcessingFilter filter =
new JwtTokenAuthenticationProcessingFilter(failureHandler, matcher);
filter.setAuthenticationManager(this.authenticationManager);
return filter;
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
List<String> permitAllEndpointsList = Arrays.asList(
AUTHENTICATION_URL,
REFRESH_TOKEN_URL,
"/console"
);
http.
csrf().disable()
.exceptionHandling()
.authenticationEntryPoint(this.authenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(permitAllEndpointsList.toArray(new String[permitAllEndpointsList.size()]))
.permitAll()
.and()
.authorizeRequests()
.antMatchers(API_ROOT_URL).authenticated();
}
@Configuration
@Order(1)
public class AjaxWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.addFilterBefore(buildAjaxLoginProcessingFilter(AUTHENTICATION_URL), UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(ajaxAuthenticationProvider);
}
}
@Configuration
@Order(2)
public class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
List<String> permitAllEndpointsList = Arrays.asList(
AUTHENTICATION_URL,
REFRESH_TOKEN_URL,
"/console"
);
http
.csrf().disable()
.addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(permitAllEndpointsList, API_ROOT_URL),
UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(jwtAuthenticationProvider);
}
}
}
感谢您的帮助。我的代码完全错误。错误的注释和方法。
我解决了将正确的authManager传递给目标配置的问题(仅查看(:
@Configuration
@Order(1)
public class AjaxWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// TODO Auto-generated method stub
auth.authenticationProvider(ajaxAuthenticationProvider);
}
}
@Configuration
public class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// TODO Auto-generated method stub
auth.authenticationProvider(jwtAuthenticationProvider);
}
}
在使用 order(1( 的配置中,我必须定义 antMacher 强制
:.and()
.antMatcher("/api/auth/**")
.authorizeRequests()
.antMatchers(AUTHENTICATION_URL)
.permitAll()
在最后一个配置中,我必须为"/**"定义antMatchers
.authorizeRequests()
.antMatchers("/**").authenticated()
最终结果:
@EnableWebSecurity
public class WebSecurityConfig {
public static final String AUTHENTICATION_HEADER_NAME = "Authorization";
public static final String AUTHENTICATION_URL = "/api/auth/login";
public static final String REFRESH_TOKEN_URL = "/api/auth/token";
public static final String API_ROOT_URL = "/api/**";
@Autowired private RestAuthenticationEntryPoint authenticationEntryPoint;
@Autowired private AjaxAwareAuthenticationSuccessHandler successHandler;
@Autowired private AjaxAwareAuthenticationFailureHandler failureHandler;
@Autowired private AjaxAuthenticationProvider ajaxAuthenticationProvider;
@Autowired private JwtAuthenticationProvider jwtAuthenticationProvider;
@Autowired private ObjectMapper objectMapper;
protected AjaxLoginProcessingFilter buildAjaxLoginProcessingFilter(String loginEntryPoint,
AuthenticationManager authManager) throws Exception {
AjaxLoginProcessingFilter filter =
new AjaxLoginProcessingFilter(loginEntryPoint, successHandler, failureHandler, objectMapper);
filter.setAuthenticationManager(authManager);
return filter;
}
protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter(String urlForFilter,
AuthenticationManager authManager) {
//SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, pattern);
JwtTokenAuthenticationProcessingFilter filter =
new JwtTokenAuthenticationProcessingFilter(failureHandler, urlForFilter);
filter.setAuthenticationManager(authManager);
return filter;
}
@Configuration
@Order(1)
public class AjaxWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// TODO Auto-generated method stub
auth.authenticationProvider(ajaxAuthenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.
csrf().disable()
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.antMatcher("/api/auth/**")
.authorizeRequests()
.antMatchers(AUTHENTICATION_URL)
.permitAll()
.and()
.addFilterBefore(buildAjaxLoginProcessingFilter(AUTHENTICATION_URL, super.authenticationManager()), UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(ajaxAuthenticationProvider);
}
}
@Configuration
public class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// TODO Auto-generated method stub
auth.authenticationProvider(jwtAuthenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/**").authenticated()
.and()
.addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(API_ROOT_URL, super.authenticationManager()),
UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(jwtAuthenticationProvider);
}
}
}