在我的旧项目中,我使用了这个配置:
@Configuration
@EnableWebSecurity
@Import(WebMvcConfig.class)
@PropertySource(value = { "classpath:config.properties" }, encoding = "UTF-8", ignoreResourceNotFound = false)
public class WebSecWebSecurityCfg extends WebSecurityConfigurerAdapter
{
private UserDetailsService userDetailsService;
@Autowired
@Qualifier("objectMapper")
private ObjectMapper mapper;
@Autowired
@Qualifier("passwordEncoder")
private PasswordEncoder passwordEncoder;
@Autowired
private Environment env;
public WebSecWebSecurityCfg(UserDetailsService userDetailsService)
{
this.userDetailsService = userDetailsService;
}
@Override
protected void configure(HttpSecurity http) throws Exception
{
JWTAuthorizationFilter authFilter = new JWTAuthorizationFilter
( authenticationManager(),
env.getProperty("config.secret.symmetric.key"),
env.getProperty("config.jwt.header.string"),
env.getProperty("config.jwt.token.prefix")
);
JWTAuthenticationFilter authenticationFilter = new JWTAuthenticationFilter
(
authenticationManager(),
env.getProperty("config.secret.symmetric.key"),
Long.valueOf(env.getProperty("config.jwt.token.duration")),
env.getProperty("config.jwt.header.string"),
env.getProperty("config.jwt.token.prefix"),
mapper
);
http
.cors()
.and()
.csrf()
.disable()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.addFilter(authenticationFilter)
.addFilter(authFilter)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception
{
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
}
@Bean
CorsConfigurationSource corsConfigurationSource()
{
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
return source;
}
}
JWTAuthorizationFilter
是什么:
public class JWTAuthorizationFilter extends BasicAuthenticationFilter
{
private static final Logger logger = LoggerFactory.getLogger(JWTAuthenticationFilter.class.getName());
private String secretKey;
private String headerString;
private String tokenPrefix;
public JWTAuthorizationFilter(AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint, String secretKey, String headerString, String tokenPrefix)
{
super(authenticationManager, authenticationEntryPoint);
this.secretKey = secretKey;
this.headerString = headerString;
this.tokenPrefix = tokenPrefix;
}
public JWTAuthorizationFilter(AuthenticationManager authenticationManager, String secretKey, String headerString, String tokenPrefix)
{
super(authenticationManager);
this.secretKey = secretKey;
this.headerString = headerString;
this.tokenPrefix = tokenPrefix;
}
@Override
protected void onUnsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException
{
AuthenticationErrorEnum customErrorCode = null;
StringBuilder builder = new StringBuilder();
if( failed.getCause() instanceof MissingJwtTokenException )
{
customErrorCode = AuthenticationErrorEnum.TOKEN_JWT_MANCANTE;
}
else if( failed.getCause() instanceof ExpiredJwtException )
{
customErrorCode = AuthenticationErrorEnum.TOKEN_JWT_SCADUTO;
}
else if( failed.getCause() instanceof MalformedJwtException )
{
customErrorCode = AuthenticationErrorEnum.TOKEN_JWT_NON_CORRETTO;
}
else if( failed.getCause() instanceof MissingUserSubjectException )
{
customErrorCode = AuthenticationErrorEnum.TOKEN_JWT_NESSUN_UTENTE_TROVATO;
}
else if( ( failed.getCause() instanceof GenericJwtAuthorizationException ) || ( failed.getCause() instanceof Exception ) )
{
customErrorCode = AuthenticationErrorEnum.ERRORE_GENERICO;
}
builder.append("Errore duranre l'autorizzazione. ");
builder.append(failed.getMessage());
JwtAuthApiError apiError = new JwtAuthApiError(HttpStatus.UNAUTHORIZED, failed.getMessage(), Arrays.asList(builder.toString()), customErrorCode);
String errore = ( new ObjectMapper() ).writeValueAsString(apiError);
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.sendError(HttpStatus.UNAUTHORIZED.value(), errore);
request.setAttribute(IRsConstants.API_ERROR_REQUEST_ATTR_NAME, apiError);
}
JWTAuthenticationFilter
是什么?
public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter
{
private AuthenticationManager authenticationManager;
private String secretKey;
private long tokenDurationMillis;
private String headerString;
private String tokenPrefix;
private ObjectMapper mapper;
@Override
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException
{
AuthenticationErrorEnum customErrorCode = null;
StringBuilder builder = new StringBuilder();
if( failed instanceof BadCredentialsException )
{
customErrorCode = AuthenticationErrorEnum.CREDENZIALI_SERVIZIO_ERRATE;
}
else
{
customErrorCode = AuthenticationErrorEnum.ERRORE_GENERICO;
}
builder.append("Errore durante l'autenticazione del servizio. ");
builder.append(failed.getMessage());
JwtAuthApiError apiError = new JwtAuthApiError(HttpStatus.UNAUTHORIZED, failed.getMessage(), Arrays.asList(builder.toString()), customErrorCode);
String errore = mapper.writeValueAsString(apiError);
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.sendError(HttpStatus.UNAUTHORIZED.value(), errore);
request.setAttribute(IRsConstants.API_ERROR_REQUEST_ATTR_NAME, apiError);
}
public JWTAuthenticationFilter(AuthenticationManager authenticationManager, String secretKey, long tokenDurationMillis, String headerString, String tokenPrefix, ObjectMapper mapper)
{
super();
this.authenticationManager = authenticationManager;
this.secretKey = secretKey;
this.tokenDurationMillis = tokenDurationMillis;
this.headerString = headerString;
this.tokenPrefix = tokenPrefix;
this.mapper = mapper;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res) throws AuthenticationException
{
try
{
ServiceLoginDto creds = new ObjectMapper().readValue(req.getInputStream(), ServiceLoginDto.class);
return authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(creds.getCodiceServizio(), creds.getPasswordServizio(), new ArrayList<>()));
}
catch (IOException e)
{
throw new RuntimeException(e);
}
}
@Override
protected void successfulAuthentication(HttpServletRequest req, HttpServletResponse res, FilterChain chain, Authentication auth) throws IOException, ServletException
{
DateTime dt = new DateTime();
Date expirationTime = dt.plus(getTokenDurationMillis()).toDate();
String token = Jwts
.builder()
.setSubject(((User) auth.getPrincipal()).getUsername())
.setExpiration(expirationTime)
.signWith(SignatureAlgorithm.HS512, getSecretKey().getBytes())
.compact();
res.addHeader(getHeaderString(), getTokenPrefix() + token);
res.addHeader("jwtExpirationDate", expirationTime.toString());
res.addHeader("jwtTokenDuration", String.valueOf(TimeUnit.MILLISECONDS.toMinutes(getTokenDurationMillis()))+" minuti");
}
public String getSecretKey()
{
return secretKey;
}
public void setSecretKey(String secretKey)
{
this.secretKey = secretKey;
}
public long getTokenDurationMillis()
{
return tokenDurationMillis;
}
public void setTokenDurationMillis(long tokenDurationMillis)
{
this.tokenDurationMillis = tokenDurationMillis;
}
public String getHeaderString()
{
return headerString;
}
public void setHeaderString(String headerString)
{
this.headerString = headerString;
}
public String getTokenPrefix()
{
return tokenPrefix;
}
public void setTokenPrefix(String tokenPrefix)
{
this.tokenPrefix = tokenPrefix;
}
}
用户详细信息是一个经典的用户服务详细信息
@Service
public class UserDetailsServiceImpl implements UserDetailsService
{
@Autowired
private IServizioService service;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
{
Service svc;
try
{
svc = service.findBySvcCode(username);
}
catch (DbException e)
{
throw new UsernameNotFoundException("Errore durante il processo di autenticazione; "+e.getMessage(), e);
}
if (svc == null)
{
throw new UsernameNotFoundException("Nessun servizio trovato per il codice servizio "+username);
}
else if( !svc.getAbilitato().booleanValue() )
{
throw new UsernameNotFoundException("Servizio "+username+" non abilitato");
}
return new User(svc.getCodiceServizio(), svc.getPasswordServizio(), Collections.emptyList());
}
}
请注意,我没有使用Spring Webflux。
希望这对你有用。
安吉洛。
ServerSecurityContextRepository#load
返回Mono<SecurityContext>
,因此您应该返回Mono.just(new SecurityContextImpl(authentication))
。 - SaljackServerHttpSecurity.build()
方法的实现,发现ReactiveAuthenticationManager
仅在HttpBasic和FromLogin中使用,如果您禁用它,则永远不会被调用。因此,创建一个ReactiveAuthenticationManager
是没有意义的。如果您想要使用它,您需要注册一个带有您的ReactiveAuthenticationManager
的AuthenticationWebFilter
。如果我有错误,请纠正我。 - SaljackUsernamePasswordAuthenticationToken
中检查代码,其中在构造函数中有super.setAuthenticated(true);
。 - Saljack