为什么Spring-Security不过滤我的查询?

nnvyjq4y  于 2022-12-29  发布在  Spring
关注(0)|答案(1)|浏览(122)

我尝试为REST API应用程序启用Spring安全性,但是没有调用我的自定义过滤器。
这是我的配置:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringConfig {

    @Resource
    public AuthorizationFilter authorizationFilter;
    
    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
        return authenticationConfiguration.getAuthenticationManager();
    }
    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        // Enable CORS and disable CSRF
        http = http.cors().and().csrf().disable();

        // Set session management to stateless
        http = http
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and();

        // Set unauthorized requests exception handler
        http = http
            .exceptionHandling()
            .authenticationEntryPoint(
                (request, response, ex) -> {
                    response.sendError(
                        HttpServletResponse.SC_UNAUTHORIZED,
                        ex.getMessage()
                    );
                }
            )
            .and();

        // Set permissions on endpoints
        http.authorizeRequests()
            // Our private endpoints
            .anyRequest().authenticated();

        // Add JWT token filter
        http.addFilterBefore(
                authorizationFilter,
            UsernamePasswordAuthenticationFilter.class
        );
        return http.build();
    }
}

这是我的自定义过滤器:

@Component
public class AuthorizationFilter extends OncePerRequestFilter {

    private static final String AUTHORIZATION_HEADER = "Authorization";
    private static final String BEARER_PREFIX = "Bearer ";
    
    @Resource
    private ExternalAuthenticationService externalAuthenticationService;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        final String header = request.getHeader(AUTHORIZATION_HEADER);
        if (header != null && header.startsWith(BEARER_PREFIX)) {
            String token = header.replace(BEARER_PREFIX, "");
            if(StringUtils.isNotBlank(token)) {
                Identity id =externalAuthenticationService.verifyToken(token);
                if(id!=null)
                    SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(id, null, Collections.singleton(new SimpleGrantedAuthority(id.getType()))));
            }
        }
        chain.doFilter(request, response);
    }
}

我希望所有的请求都能通过自定义过滤器,但是它不起作用。我错过了什么?Spring-security调试日志没有帮助。

rqqzpn5f

rqqzpn5f1#

我错过了一个抽象安全WebApplicationInitializer类:

@Order(2)
public class SecurityInitializer extends AbstractSecurityWebApplicationInitializer {

}

添加该类后,SpringSecurity将被激活

相关问题