2016-11-20 103 views
0

我有基於令牌的授權, 我面臨的事情是,認證後我獲得令牌,然後我嘗試手動發送調用服務器沒有令牌,我刷新它快速,有時它允許我得到的數據作爲授權莫名其妙適當的數據是SecurityContextHolder,不知道它是如何出現在那裏,當令牌不會被髮送到服務器,是的,我使用STATELESS會議基於令牌的身份驗證SecurityContextHolder有時不爲空

這裏是我的配置:

public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

    @Autowired 
    private UserDetailsService userDetailsService; 

    @Autowired 
    private AuthenticationEntryPoint authenticationEntryPoint; 

    @Autowired 
    private AccessDeniedHandler accessDeniedHandler; 

    @Autowired 
    public void configureAuthentication(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception { 
     authenticationManagerBuilder 
       .userDetailsService(this.userDetailsService) 
       .passwordEncoder(passwordEncoder()); 
    } 

    @Bean 
    public PasswordEncoder passwordEncoder() { 
     return new BCryptPasswordEncoder(); 
    } 

    @Bean 
    @Override 
    public AuthenticationManager authenticationManagerBean() throws Exception{ 
     return super.authenticationManagerBean(); 
    } 

    @Bean 
    public AuthenticationTokenFilter authenticationTokenFilterBean() throws Exception{ 
     AuthenticationTokenFilter authenticationTokenFilter = new AuthenticationTokenFilter(); 
     authenticationTokenFilter.setAuthenticationManager(authenticationManagerBean()); 
     return authenticationTokenFilter; 
    } 

    @Override 
    protected void configure(HttpSecurity httpSecurity) throws Exception { 
     httpSecurity 
       .csrf() 
       .disable() 
       .httpBasic().disable() 
       .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class) 
       .sessionManagement() 
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS) 
       .and() 
       .exceptionHandling() 
        .authenticationEntryPoint(authenticationEntryPoint) 
        .accessDeniedHandler(accessDeniedHandler) 
       .and() 
       .authorizeRequests() 
        .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() 
        .antMatchers("/**").permitAll() 
        .antMatchers("/auth/**").permitAll() 
       .anyRequest().authenticated(); 
    } 
} 

AuthenticationTokenFilter

public class AuthenticationTokenFilter extends UsernamePasswordAuthenticationFilter { 
    @Autowired 
    private TokenUtils tokenUtils; 

    @Autowired 
    private UserDetailsService userDetailsService; 

    @Override 
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 
      throws IOException, ServletException { 

     tokenUtils = WebApplicationContextUtils 
       .getRequiredWebApplicationContext(this.getServletContext()) 
       .getBean(TokenUtils.class); 
     userDetailsService = WebApplicationContextUtils 
       .getRequiredWebApplicationContext(this.getServletContext()) 
       .getBean(UserDetailsService.class); 


     HttpServletResponse resp = (HttpServletResponse) response; 
     resp.setHeader("Access-Control-Allow-Origin", "*"); 
     resp.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE, PATCH"); 
     resp.setHeader("Access-Control-Max-Age", "3600"); 
     resp.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, " + Constants.tokenHeader); 


     HttpServletRequest httpRequest = (HttpServletRequest) request; 
     String authToken = httpRequest.getHeader(Constants.tokenHeader); 

     Authentication auth = SecurityContextHolder.getContext().getAuthentication(); 
     if(authToken != null){ 
      String username = this.tokenUtils.getUsernameFromToken(authToken); 
      if (username != null && auth == null) { 
       UserDetails userDetails = this.userDetailsService.loadUserByUsername(username); 
       if (this.tokenUtils.validateToken(authToken, userDetails)) { 
        UsernamePasswordAuthenticationToken authentication = 
          new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()); 
        authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpRequest)); 
        SecurityContextHolder.getContext().setAuthentication(authentication); 
       } 
      } 
     } 

     chain.doFilter(request, response); 
    } 
} 

回答

相關問題