我正在使用Spring Boot和Spring Security创建一个简单的Web应用程序。我有一个自定义过滤器来检查x-auth-token是否存在并且有效。我有/src/main/resources/static
文件夹下的静态内容。但是,指向静态内容的网址也会通过自定义过滤器并导致令牌验证失败。任何人都可以帮助解决我的配置错误吗?Spring Boot&Spring Security未提供/静态文件夹中的内容
@Configuration
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private StatelessAuthenticationFilter statelessAuthenticationFilter;
@Autowired
private UserDetailsService userDetailsService;
public SpringSecurityConfig() {
super(true);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests()
.anyRequest().authenticated().and()
// Custom Token based authentication based on the header
.addFilterBefore(statelessAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService());
}
@Override
public UserDetailsService userDetailsService() {
return userDetailsService;
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/auth");
}
@Bean
public FilterRegistrationBean filterRegistrationBean() {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
filterRegistrationBean.setEnabled(false);
filterRegistrationBean.setFilter(statelessAuthenticationFilter);
return filterRegistrationBean;
}
}
自定义过滤器:
@Component
public class StatelessAuthenticationFilter extends GenericFilterBean {
@Value("${security.token.secret:asdfasdfasdf}")
private String tokenSecret;
@Autowired
private UserRepository userRepository;
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
System.out.println("stateless authentication filter");
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
try {
String token = httpRequest.getHeader(Constants.X_AUTH_TOKEN_HEADER_NAME);
if(!StringUtils.hasText(token)) {
throw new AuthenticationException(AirlineError.AUTHENTICATION_AUTH_TOKEN_MISSING);
}
JWTPayload jwtPayload = new JWTPayload();
byte[] secret = tokenSecret.getBytes();
DefaultJwtParser defaultJwtParser = new DefaultJwtParser();
defaultJwtParser.setSigningKey(secret);
Claims claims = defaultJwtParser.parseClaimsJws(token).getBody();
jwtPayload.setEmail((String) claims.get("email"));
jwtPayload.setExp((Long) claims.get("exp"));
if (new DateTime(jwtPayload.getExp()).isBeforeNow()) {
throw new AuthenticationException(AirlineError.AUTHENTICATION_AUTH_TOKEN_EXPIRED);
}
User user = userRepository.findOne(jwtPayload.getEmail());
SecurityContextHolder.getContext().setAuthentication(new UserAuthentication(user.getEmail()));
chain.doFilter(request, response);
} catch(Exception e) {
httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
}
}
index.html
是/src/main/resources/static
文件夹,但它当我打开http://localhost:8080从浏览器没有被服务。
编辑1 我在github中创建了一个示例项目来复制该问题。希望这有助于:
https://github.com/mgooty/spring-boot-security
时,我打:
- http://localhost:8080或http://localhost:8080/index.html我得到
An Authentication object was not found in the SecurityContext
- http://localhost:8080/static/index.html我得到404错误
你想要保护所有静态内容吗? –