我是 Spring Boot 的新手,所以请帮助我。我已经让它工作到我能够生成一个Bearer Token未经身份验证的请求的地步。接下来,我想将此令牌与端点一起使用,以便对我的请求进行身份验证 - 这就是我遇到麻烦的地方。我总是收到 401,看起来我的配置有问题。这是我的代码public class ApplicationUser {private String username;private String password;private String role;public ApplicationUser(String username, String password, String role) { this.username = username; this.password = password; this.role = role;}public String getUsername() { return username;}public String getPassword() { return password;}public String getRole() { return role; }}JwtConfig 类:@Component("jwtConfig")public class JwtConfig {@Value("${security.jwt.uri:/auth/**}")private String Uri;@Value("${security.jwt.header:Authorization}")private String header;@Value("${security.jwt.prefix:Bearer }")private String prefix;@Value("${security.jwt.expiration:#{24*60*60}}")private int expiration;@Value("${security.jwt.secret:JwtSecretKey}")private String secret;public String getUri() { return Uri;}public String getHeader() { return header;}public String getPrefix() { return prefix;}public int getExpiration() { return expiration;}public String getSecret() { return secret;}}
3 回答
烙印99
TA贡献1829条经验 获得超13个赞
根据您的要求,在您对多个路径使用多个身份验证之前,您真的不需要多个 http 安全配置(例如,对于某些路径,您希望拥有 JWT,而对于某些路径,您希望拥有基本身份验证或 auth2)。
所以删除SecurityCredentialsConfig并更新WebSecurity到下面,你会很好。
@Configuration
@EnableWebSecurity(debug = true) // Enable security config. This annotation denotes config for spring security.
public class WebSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private JwtConfig jwtConfig;
@Autowired
private UserDetailsServiceImpl userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
// make sure we use stateless session; session won't be used to store user's state.
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
// authorization requests config
.authorizeRequests()
// allow all who are accessing "auth" service
.antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll()
// must be an admin if trying to access admin area (authentication is also required here)
.antMatchers("/v1/cooks/**").hasAuthority("ADMIN")
//for other uris
// .antMatchers(HttpMethod.GET, "/v1/**").hasRole("USER")
// Any other request must be authenticated
.anyRequest().authenticated()
.and()
// handle an authorized attempts
.exceptionHandling().authenticationEntryPoint((req, rsp, e) -> rsp.sendError(HttpServletResponse.SC_UNAUTHORIZED))
.and()
// Add a filter to validate the tokens with every request
.addFilterAfter(new JwtTokenAuthenticationFilter(jwtConfig), UsernamePasswordAuthenticationFilter.class)
.addFilter(new JwtUsernameAndPasswordAuthenticationFilter(authenticationManager(), jwtConfig));
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
素胚勾勒不出你
TA贡献1827条经验 获得超9个赞
尝试添加这个
/**
在网络安全类在线,
.antMatchers("/v1/cooks/**" ).access("hasRole('ADMIN')")拜托,如果您能提供有关 Spring Boot 和安全依赖项的日志和版本,这对我们有很大帮助。
添加回答
举报
0/150
提交
取消