Java 安全状态 403

问题描述 投票:0回答:1

我已经配置了基于 JWT 令牌和角色的简单安全性。我在邮递员中进行了测试,每个请求的状态都是 403 禁止。我不知道是什么阻止了我的请求,因为即使我评论每个过滤器并只留下 PermitAll,它每次仍然显示 403。

安全配置代码:

@Configuration
@RequiredArgsConstructor
public class SpringSecurityConfig {

    @Value("${jwt.secret}")
    private String jwtSecret;

    @Value("${jwt.issuer}")
    private String jwtIssuer;

    @Bean
    public JWTVerifier jwtVerifier() {
        Algorithm algorithm = Algorithm.HMAC256(jwtSecret);
        return JWT.require(algorithm)
                .withIssuer(jwtIssuer)
                .build();
    }
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests((requests) -> requests
                        .requestMatchers("/api/users/**").permitAll()
                        //.requestMatchers("/api/librarian/**").hasAnyRole("librarian", "programmer")
                        //.requestMatchers("/api/reader/**").hasAnyRole("reader", "programmer")
                        //.anyRequest().authenticated()

                )
                .cors(Customizer.withDefaults())
                .csrf(Customizer.withDefaults());

        //http.addFilterBefore(new JWTFilter(jwtVerifier()), UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }

}

JWT 令牌过滤器代码:

@AllArgsConstructor
public class JWTFilter extends UsernamePasswordAuthenticationFilter {
    private final JWTVerifier jwtVerifier;


    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        String token = extractToken(request);

        if (token != null) {
            try {
                DecodedJWT jwt = jwtVerifier.verify(token);

                Authentication authentication = createAuthenticationFromToken(jwt);

                SecurityContextHolder.getContext().setAuthentication(authentication);
            } catch (JWTVerificationException e) {
            }
        }

        chain.doFilter(request, response);
    }
    private Authentication createAuthenticationFromToken(DecodedJWT jwt) {
        String username = jwt.getClaim("username").asString();
        List<SimpleGrantedAuthority> authorities = jwt.getClaim("roles")
                .asList(String.class)
                .stream()
                .map(SimpleGrantedAuthority::new)
                .toList();

        return new UsernamePasswordAuthenticationToken(username, null, authorities);
    }

    // Extract the JWT token from the request
    private String extractToken(HttpServletRequest request) {
         String token = request.getHeader("Authorization");
        return null;
    }
}
java spring security jwt
1个回答
0
投票

可能是因为在您的方法中

extractToken
您提取了
token
但返回了
null

对于未来的问题,请提供一些 JUnit 测试,或您通过 Postman 发送的请求。此外,spring-security DEBUG 日志也会很有帮助。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.