Spring安全休息令牌身份验证 - 筛选器不运行

Question

我正在构建一个使用Spring 4和java configs（没有任何xml文件）的REST应用程序。

这里是一些实际的代码：

public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer { 

    @Override 
    protected String[] getServletMappings() { 
     return new String[]{"/"}; 
    } 

    @Override 
    protected Class<?>[] getRootConfigClasses() { 
     return new Class<?>[] {ApplicationConfig.class}; 
    } 

    @Override 
    protected Class<?>[] getServletConfigClasses() { 
     return null; 
    } 
} 

除此之外，我保证与令牌认证WebService的，所以我有一个过滤器来处理令牌，妥善他的令牌获取用户，并把用户对象进入SecuriryContext。这里是Filter的一些代码：

@Component 
public class AuthenticationTokenFilter extends UsernamePasswordAuthenticationFilter { 

private String tokenHeader = "X-Auth-Token"; 

@Autowired 
private TokenUtils tokenUtils; 

@Autowired 
private UserDetailsService userDetailsService; 

@Override 
@Autowired 
public void setAuthenticationManager(AuthenticationManager authenticationManager) { 
    super.setAuthenticationManager(authenticationManager); 
} 

@Override 
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { 

    HttpServletRequest httpRequest = (HttpServletRequest) request; 
    String authToken = httpRequest.getHeader(this.tokenHeader); 
    String username = this.tokenUtils.getUsernameFromToken(authToken); 

    if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) { 
     UserDetails userDetails = this.userDetailsService.loadUserByUsername(username); 
     if (this.tokenUtils.validateToken(authToken, userDetails)) { 
      UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()); 
      authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpRequest)); 
      SecurityContextHolder.getContext().setAuthentication(authentication); 
     } 
    } 

    chain.doFilter(request, response); 
} 

} 

我使用Spring Security的，这里是我WebSecurityConfigurerAdapter

@Configuration 
@EnableWebSecurity 
@EnableGlobalMethodSecurity(prePostEnabled = true) 
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { 

    @Autowired 
    private EntryPointUnauthorizedHandler unauthorizedHandler; 

    @Autowired 
    private AuthenticationTokenFilter authTokenFilter; 


    @Bean 
    public PasswordEncoder passwordEncoder() { 
    return new BCryptPasswordEncoder(); 
    } 

    @Bean 
    @Override 
    public AuthenticationManager authenticationManagerBean() throws Exception { 
    return super.authenticationManagerBean(); 
    } 


    @Override 
    protected void configure(HttpSecurity httpSecurity) throws Exception { 
    httpSecurity 
     .csrf() 
     .disable() 
     .exceptionHandling() 
     .authenticationEntryPoint(this.unauthorizedHandler) 
     .and() 
     .sessionManagement() 
     .sessionCreationPolicy(SessionCreationPolicy.STATELESS) 
     .and() 
     .authorizeRequests() 
     .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() 
     .antMatchers("/auth/**").permitAll()  
     .anyRequest().authenticated(); 

     httpSecurity 
     .addFilterBefore(authTokenFilter, UsernamePasswordAuthenticationFilter.class); 
    } 

} 

我的问题是，过滤器的doFilter()不运行。任何帮助？注意：使用SpringBoot不是一个选项。我想这样做，而不使用弹簧引导自动配置。

Answer 1

您不是将组件添加到筛选器中，而是将其作为一个简单的对象进行创建，该对象是通过ServletContext中某处的反射创建的，该对象对Spring一无所知。 您可以添加过滤器，安全配置SpringSecurityFilterChain如果你使用Spring Security

@EnableWebSecurity 
@Configuration 
public class SecurityConfig extends WebSecurityConfigurerAdapter { 

    @Autowired 
    private YourFilter yourFilter; 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http 
      .addFilterBefore(yourFilter, UsernamePasswordAuthenticationFilter.class); 
    } 
}