spring引导自定义jwt过滤器不允许任何没有令牌的请求

jjjwad0x  于 2021-06-30  发布在  Java
关注(0)|答案(1)|浏览(281)

我使用带有spring引导安全配置的定制jwt过滤器来允许某些api请求而不使用jwt令牌。但是websecurity配置中的permitall()方法不起作用(不允许任何没有jwt的请求)。它抛出自定义invalidjwtexception。我错过了什么?我尝试过很多谷歌搜索,但都没有成功。
WebSecurity配置类

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
class WebSecurityConfig(
    private val jwtTokenProvider: JwtTokenProvider,
    private val filterChainExceptionHandler: FilterChainExceptionHandler,
) : WebSecurityConfigurerAdapter() {

    override fun configure(http: HttpSecurity?) {

        http?.csrf()?.disable()
        http?.sessionManagement()?.sessionCreationPolicy(SessionCreationPolicy.STATELESS)

        http
            ?.authorizeRequests()
            ?.antMatchers("/api/v1/auth/signin")?.permitAll()
            ?.antMatchers("/api/v1/auth/checkEmailExist")?.permitAll()
            ?.anyRequest()?.authenticated()

        http
            ?.addFilterBefore(JwtTokenFilter(jwtTokenProvider), UsernamePasswordAuthenticationFilter::class.java)
            ?.addFilterBefore(filterChainExceptionHandler, JwtTokenFilter::class.java)

    }

    @Bean
    fun passwordEncoder(): PasswordEncoder {
        return BCryptPasswordEncoder(10)
    }

    @Bean
    override fun authenticationManagerBean(): AuthenticationManager {
        return super.authenticationManagerBean()
    }
}

jwttokenfilter类

@Component
class JwtTokenFilter(
    private val jwtTokenProvider: JwtTokenProvider
) : OncePerRequestFilter() {

    override fun doFilterInternal(
        request: HttpServletRequest,
        response: HttpServletResponse,
        filterChain: FilterChain
    ) {
        try {
            val token = jwtTokenProvider.resolveToken(request)
            if (token != null && jwtTokenProvider.validateToken(token)) {
                val auth = jwtTokenProvider.getAuthentication(token)
                SecurityContextHolder.getContext().authentication = auth
            }
        } catch (e: InvalidJwtException) {
            SecurityContextHolder.clearContext()
            throw InvalidJwtException(e.message, e.httpStatus)
        }
        filterChain.doFilter(request, response)
    }
}

resolvetoken函数

fun resolveToken(req: HttpServletRequest): String? {
        val bearerToken = req.getHeader(AUTHORIZATION_HEADER)
        return if (bearerToken != null && bearerToken.startsWith(BEARER)) {
            bearerToken.substring(7)
        } else {
            throw InvalidJwtException("Authorization token must be Bearer [token]", HttpStatus.FORBIDDEN)
        }
 }
Javaspringkotlinspring-bootJWT

1条答案

按热度按时间
disho6za

disho6za1#

令牌验证应排除身份验证URL:

if (!request.getRequestURL().toString().contains("auth") || (token != null && jwtTokenProvider.validateToken(token)))

您可以选择比我使用的“auth”更好的字符串来标识排除的路径

赞(0)分享  回复(0)举报  2021-06-30
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com