我正在用java和spring Boot 3.1.1版本构建一个登录和注册应用程序,我实现了实体:
@Entity
@Getter
@Setter
@EqualsAndHashCode
@NoArgsConstructor
@Table(name = "users")
public class User {
@Id
@Column(name = "user_id")
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
private String firstName;
private String lastName;
private String userName;
private String email;
private String password;
private LocalDate registrationDate;
@ManyToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
@JoinTable(name = "users_roles",
joinColumns = @JoinColumn(name = "user_id"),
inverseJoinColumns = @JoinColumn(name = "role_id"))
private Set<Role> roles = new HashSet<>();
private Boolean locked = false;
private Boolean enabled = true;
public User(String firstName, String lastName, String userName, String email, String password) {
this.firstName = firstName;
this.lastName = lastName;
this.userName = userName;
this.email = email;
this.password = password;
this.registrationDate = LocalDate.now();
}
}
@Entity
@Getter
@Setter
@EqualsAndHashCode
@NoArgsConstructor
public class Role {
@Id
@Column(name = "role_id")
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
@Enumerated(EnumType.STRING)
private UserRole roleName;
}
public enum UserRole {
WAITER,
KITCHEN,
CASHIER,
ADMIN;
}
@Getter
@AllArgsConstructor
public class AppUserDetails implements UserDetails {
private final User user;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
List<SimpleGrantedAuthority> authorities = new ArrayList<>();
user.getRoles().forEach(role -> {
authorities.add(new SimpleGrantedAuthority(role.getRoleName().name()));
});
return authorities;
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return user.getUserName();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return !user.getLocked();
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return user.getEnabled();
}
}
@Service
@AllArgsConstructor
public class UserService implements UserDetailsService {
private final UserRepository userRepository;
@Override
@Transactional(readOnly = true)
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return new AppUserDetails(userRepository.findByUserName(username).orElseThrow(() ->
new UsernameNotFoundException(String.format("User %s not found", username))));
}
}字符串
以及JWT过滤器、配置等:
@Service
public class JwtService {
@Value("${api.security.token.secret}")
private String secretKey;
public String extractUsername(String token) {
return extractClaim(token, Claims::getSubject);
}
public <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {
final Claims claims = extractAllClaims(token);
return claimsResolver.apply(claims);
}
public String generateTokens(UserDetails userDetails) {
return generateToken(new HashMap<>(), userDetails);
}
public String generateToken(Map<String, Object> extraClaims, UserDetails userDetails) {
return Jwts.builder()
.setClaims(extraClaims)
.setSubject(userDetails.getUsername())
.setIssuedAt(new Date(System.currentTimeMillis()))
.setExpiration(new Date((System.currentTimeMillis() + 1000 * 60 * 24)))
.signWith(getSignInKey(), SignatureAlgorithm.HS256)
.compact();
}
public boolean isTokenValid(String token, UserDetails userDetails) {
final String username = extractUsername(token);
return (username.equals(userDetails.getUsername())) && !isTokenExpired(token);
}
private boolean isTokenExpired(String token) {
return extractExpiration(token).before(new Date());
}
private Date extractExpiration(String token) {
return extractClaim(token, Claims::getExpiration);
}
private Claims extractAllClaims (String token) {
return Jwts.parserBuilder().setSigningKey(getSignInKey()).build().parseClaimsJws(token).getBody();
}
private Key getSignInKey() {
byte [] keysBytes = Decoders.BASE64.decode(secretKey);
return Keys.hmacShaKeyFor(keysBytes);
}
}
@Component
@RequiredArgsConstructor
public class JwtAuthenticationFilter extends OncePerRequestFilter {
private final JwtService jwtService;
private final UserService userDetailsService;
@Override
protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response, @NonNull FilterChain filterChain) throws ServletException, IOException {
final String authHeader = request.getHeader("Authorization");
final String jwt;
final String userName;
if (authHeader == null || !authHeader.startsWith("Bearer ")) {
filterChain.doFilter(request, response);
return;
}
jwt = authHeader.substring(7);
userName = jwtService.extractUsername(jwt);
if (userName != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(userName);
if (jwtService.isTokenValid(jwt, userDetails)) {
UsernamePasswordAuthenticationToken authenticationToken =
new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
}
}
filterChain.doFilter(request, response);
}
}
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfigurations {
private final JwtAuthenticationFilter jwtAuthFilter;
private final AuthenticationProvider authenticationProvider;
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.csrf(AbstractHttpConfigurer::disable)
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(
authorize -> authorize
.requestMatchers(HttpMethod.POST, "/api/v*/auth/register").hasAnyRole("ADMIN", "CASHIER")
.requestMatchers(HttpMethod.POST, "/api/v*/auth/authenticate").permitAll()
.anyRequest().authenticated()
)
.authenticationProvider(authenticationProvider)
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)
.build();
}
}型
每次我尝试身份验证时,都会成功生成令牌:
@RestController
@RequiredArgsConstructor
@RequestMapping(path = "/api/v1/auth")
public class AuthenticationController {
private final AuthenticationService authenticationService;
@PostMapping("/register")
@PreAuthorize("hasAnyRole('ADMIN', 'CASHIER')")
public ResponseEntity<AuthenticationResponse> register(@RequestBody RegistrationRequest request) {
return new ResponseEntity<>(authenticationService.register(request), HttpStatus.CREATED);
}
@PostMapping("/authenticate")
public ResponseEntity<AuthenticationResponse> authenticate(@RequestBody AuthenticationRequest request) {
return new ResponseEntity<>(authenticationService.authenticate(request), HttpStatus.OK);
}
}
@Service
@RequiredArgsConstructor
public class AuthenticationService {
private final JwtService jwtService;
private final UserRepository userRepository;
private final PasswordEncoder passwordEncoder;
private final RolesRepository rolesRepository;
private final AuthenticationManager authenticationManager;
public AuthenticationResponse register(RegistrationRequest request) {
User user = new User(
request.getFirstName(),
request.getLastName(),
request.getUserName(),
request.getEmail(),
passwordEncoder.encode(request.getPassword())
);
request.getRoles().forEach(role -> user.getRoles().add(rolesRepository.findByRoleName(role).orElseThrow(
() -> new NoSuchElementException(String.format("Role %s was not found at database", role.name()))
)));
userRepository.save(user);
return AuthenticationResponse.builder().token("Testando assim").build();
}
// TODO add some errors to return message to user
// TODO add a constraint into username field
public AuthenticationResponse authenticate(AuthenticationRequest request) {
authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(request.getUsername(), request.getPassword()));
User user = userRepository.findByUserName(request.getUsername()).orElseThrow(
() -> new NoSuchElementException(String.format("Username %s not found", request.getUsername())));
var jwtToken = jwtService.generateTokens(new AppUserDetails(user));
return AuthenticationResponse.builder().token(jwtToken).build();
}
}型
我直接在数据库中注册了一个用户,具有管理员角色,但是当我尝试在系统中使用管理员用户生成的令牌在身份验证方法中注册另一个用户时,我收到403消息,甚至没有访问注册方法,我错过了什么?
我可以使存储库公开和张贴链接,如果将更好。
添加了请求。登录以获取令牌:
x1c 0d1x的数据
在register的请求报头处设置承载令牌:
的
的
包含以下消息的请求正文:
的
属性打印屏幕:
x1c4d 1x的
方法的Spring return:
型
不带@PreAuthorize(“hasAnyRole('ADMIN','CASHIER')”)和带.permitAll()返回:
型
1条答案
按热度按时间yizd12fk1#
经过长时间的搜索和文档阅读,我终于找到了我的问题所在。我只通过前缀'ADMIN','CASHIER',...Map实体和角色。但是当使用函数
hasAnyRoles时,角色应该在其名称中有前缀role,如'ROLE_ADMIN','ROLE_CASHIER',而不仅仅是名称。但是已经有一个方法可以不使用前缀'ROLE',hasAuthority方法只使用名称!所以解决方案是改变我Map链过滤器方法的方式:
字符串
在这个例子中,我使用了正确的方法。而且工作得很好!
x1c 0d1x的数据