我使用带有spring引导安全配置的定制jwt过滤器来允许某些api请求而不使用jwt令牌。但是websecurity配置中的permitall()方法不起作用(不允许任何没有jwt的请求)。它抛出自定义invalidjwtexception。我错过了什么?我尝试过很多谷歌搜索,但都没有成功。
WebSecurity配置类
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
class WebSecurityConfig(
private val jwtTokenProvider: JwtTokenProvider,
private val filterChainExceptionHandler: FilterChainExceptionHandler,
) : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity?) {
http?.csrf()?.disable()
http?.sessionManagement()?.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
http
?.authorizeRequests()
?.antMatchers("/api/v1/auth/signin")?.permitAll()
?.antMatchers("/api/v1/auth/checkEmailExist")?.permitAll()
?.anyRequest()?.authenticated()
http
?.addFilterBefore(JwtTokenFilter(jwtTokenProvider), UsernamePasswordAuthenticationFilter::class.java)
?.addFilterBefore(filterChainExceptionHandler, JwtTokenFilter::class.java)
}
@Bean
fun passwordEncoder(): PasswordEncoder {
return BCryptPasswordEncoder(10)
}
@Bean
override fun authenticationManagerBean(): AuthenticationManager {
return super.authenticationManagerBean()
}
}
jwttokenfilter类
@Component
class JwtTokenFilter(
private val jwtTokenProvider: JwtTokenProvider
) : OncePerRequestFilter() {
override fun doFilterInternal(
request: HttpServletRequest,
response: HttpServletResponse,
filterChain: FilterChain
) {
try {
val token = jwtTokenProvider.resolveToken(request)
if (token != null && jwtTokenProvider.validateToken(token)) {
val auth = jwtTokenProvider.getAuthentication(token)
SecurityContextHolder.getContext().authentication = auth
}
} catch (e: InvalidJwtException) {
SecurityContextHolder.clearContext()
throw InvalidJwtException(e.message, e.httpStatus)
}
filterChain.doFilter(request, response)
}
}
resolvetoken函数
fun resolveToken(req: HttpServletRequest): String? {
val bearerToken = req.getHeader(AUTHORIZATION_HEADER)
return if (bearerToken != null && bearerToken.startsWith(BEARER)) {
bearerToken.substring(7)
} else {
throw InvalidJwtException("Authorization token must be Bearer [token]", HttpStatus.FORBIDDEN)
}
}
1条答案
按热度按时间disho6za1#
令牌验证应排除身份验证URL:
您可以选择比我使用的“auth”更好的字符串来标识排除的路径