springboot 3.1.3中customfilter扩展AbstractAuthenticationProcessingFilter的问题

a64a0gku  于 2023-10-15  发布在  Spring
关注(0)|答案(1)|浏览(168)

所以我观察到,当我试图在安全链中使用自定义过滤器时,我没有得到会话cookie。我为什么要这么做?因为我想在JSON中发送用户名和密码,而不是在查询字符串.
我基于此:
https://ckinan.com/blog/spring-security-credentials-from-json-request/
我检查了一下:
Spring security- Send credentials as json instead of regular form in rest service
我的自定义过滤器:

public class CustomFilter extends AbstractAuthenticationProcessingFilter {
    protected CustomFilter() {
        super(new AntPathRequestMatcher("/login", "POST"));
    }

    @Override
    public Authentication attemptAuthentication(
            HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

        String username, password;

        try {
            Map<String, String> requestMap = new ObjectMapper().readValue(request.getInputStream(), Map.class);
            username = requestMap.get("username");
            password = requestMap.get("password");
        } catch (IOException e) {
            throw new AuthenticationServiceException(e.getMessage(), e);
        }

        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
                username, password);

        return this.getAuthenticationManager().authenticate(authRequest);
    }
}

我的securityConfig:

public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {
        return authConfig.getAuthenticationManager();
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        CustomFilter mupaf = new CustomFilter();
        mupaf.setAuthenticationManager(authenticationManager(authenticationManagerBuilder));

        http.csrf(AbstractHttpConfigurer::disable)
                .sessionManagement((sessionManagement) ->
                        sessionManagement.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                                .sessionFixation().changeSessionId())
                .authorizeHttpRequests((authorizeHttpRequests) ->
                        authorizeHttpRequests.requestMatchers("/index").permitAll()
                                .requestMatchers("/login").permitAll()
                                .anyRequest().authenticated()
                ).addFilterAt(mupaf, UsernamePasswordAuthenticationFilter.class
                )
                .logout((logout) ->
                        logout.deleteCookies("remove")
                                .invalidateHttpSession(false)
                                .logoutSuccessUrl("/index")
                );
        return http.build();
    }

服务器回答:

❯ curl -X POST http://localhost:8080/login -H 'Content-Type: application/json' -d '{"username":"admin","password":"pass"}' -i
HTTP/1.1 302
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:8080/
Content-Length: 0
Date: Sun, 08 Oct 2023 21:39:46 GMT

当我禁用过滤器响应是:

❯ curl -X POST http://localhost:8080/login\?username\=ADMIN\&password\=pass -i
HTTP/1.1 302
Set-Cookie: SESSION=40E7A645752D0AACFA52C79D5DEA10EF; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:8080/
Content-Length: 0
Date: Sun, 08 Oct 2023 21:41:20 GMT

安全配置看起来像这样:

public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.csrf(AbstractHttpConfigurer::disable)
                .sessionManagement((sessionManagement) ->
                        sessionManagement.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                                .sessionFixation().changeSessionId())
                .authorizeHttpRequests((authorizeHttpRequests) ->
                        authorizeHttpRequests.requestMatchers("/index").permitAll()
                                .requestMatchers("/login").permitAll()
                                .anyRequest().authenticated()
                ).formLogin((formLogin) ->
                        formLogin.defaultSuccessUrl("/success", true)
                                .failureHandler(customLoginFailureHandler)
                                .successHandler(customLoginSuccessHandler)
                )
                .logout((logout) ->
                        logout.deleteCookies("remove")
                                .invalidateHttpSession(false)
                                .logoutSuccessUrl("/index")
                );
        return http.build();
    }
hc2pp10m

hc2pp10m1#

CustomFilter mupaf = new CustomFilter();
    mupaf.setAuthenticationManager(authConfig.getAuthenticationManager());
    SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
    if (securityContextRepository == null) {
        mupaf.setSecurityContextRepository(new DelegatingSecurityContextRepository(new RequestAttributeSecurityContextRepository(), new HttpSessionSecurityContextRepository()));
    }

相关问题