我正在使用Spring Boot和Spring Security創建一個簡單的Web應用程序。我有一個自定義過濾器來檢查x-auth-token是否存在並且有效。我有/src/main/resources/static
文件夾下的靜態內容。但是,指向靜態內容的網址也會通過自定義過濾器並導致令牌驗證失敗。任何人都可以幫助解決我的配置錯誤嗎?Spring Boot&Spring Security未提供/靜態文件夾中的內容
@Configuration
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private StatelessAuthenticationFilter statelessAuthenticationFilter;
@Autowired
private UserDetailsService userDetailsService;
public SpringSecurityConfig() {
super(true);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests()
.anyRequest().authenticated().and()
// Custom Token based authentication based on the header
.addFilterBefore(statelessAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService());
}
@Override
public UserDetailsService userDetailsService() {
return userDetailsService;
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/auth");
}
@Bean
public FilterRegistrationBean filterRegistrationBean() {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
filterRegistrationBean.setEnabled(false);
filterRegistrationBean.setFilter(statelessAuthenticationFilter);
return filterRegistrationBean;
}
}
自定義過濾器:
@Component
public class StatelessAuthenticationFilter extends GenericFilterBean {
@Value("${security.token.secret:asdfasdfasdf}")
private String tokenSecret;
@Autowired
private UserRepository userRepository;
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
System.out.println("stateless authentication filter");
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
try {
String token = httpRequest.getHeader(Constants.X_AUTH_TOKEN_HEADER_NAME);
if(!StringUtils.hasText(token)) {
throw new AuthenticationException(AirlineError.AUTHENTICATION_AUTH_TOKEN_MISSING);
}
JWTPayload jwtPayload = new JWTPayload();
byte[] secret = tokenSecret.getBytes();
DefaultJwtParser defaultJwtParser = new DefaultJwtParser();
defaultJwtParser.setSigningKey(secret);
Claims claims = defaultJwtParser.parseClaimsJws(token).getBody();
jwtPayload.setEmail((String) claims.get("email"));
jwtPayload.setExp((Long) claims.get("exp"));
if (new DateTime(jwtPayload.getExp()).isBeforeNow()) {
throw new AuthenticationException(AirlineError.AUTHENTICATION_AUTH_TOKEN_EXPIRED);
}
User user = userRepository.findOne(jwtPayload.getEmail());
SecurityContextHolder.getContext().setAuthentication(new UserAuthentication(user.getEmail()));
chain.doFilter(request, response);
} catch(Exception e) {
httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
}
}
index.html
是/src/main/resources/static
文件夾,但它當我打開http://localhost:8080從瀏覽器沒有被服務。
編輯1 我在github中創建了一個示例項目來複制該問題。希望這有助於:
https://github.com/mgooty/spring-boot-security
時,我打:
- http://localhost:8080或http://localhost:8080/index.html我得到
An Authentication object was not found in the SecurityContext
- http://localhost:8080/static/index.html我得到404錯誤
你想要保護所有靜態內容嗎? –