我在 Spring Boot 应用程序中使用 Spring Security 进行基本和 oauth2 登录。我只是分享所有安全过滤器链。我还创建了所有其他必需的 bean,例如 BCrypt、JwtDecoder 和 JwtEncoder。所有必要的注释也都存在。还要指出您发现的任何其他错误。这是我的 SecurityConfig 文件:
public class SecurityConfig {
private final RSAKeyRecord rsaKeyRecord;
private final JwtTokenUtils jwtTokenUtils;
private final RefreshTokenRepository refreshTokenRepository;
private final UserLogoutHandler logoutHandlerService;
private final UserInfoService userInfoService;
private final GoogleOAuth2Service googleOAuth2Service;
@Bean
@Order(1)
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.securityMatcher(new AntPathRequestMatcher("/ping/**"))
.csrf(AbstractHttpConfigurer::disable)
.cors(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(registry -> {
registry.requestMatchers(new AntPathRequestMatcher("/ping/**")).permitAll();
registry.anyRequest().permitAll();
})
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.httpBasic(withDefaults())
.build();
}
@Bean
@Order(2)
public SecurityFilterChain signInSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.securityMatcher(new AntPathRequestMatcher(ApiEndPoint.SecurePaths.SIGN_IN))
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
.userDetailsService(userInfoService)
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.exceptionHandling(ex -> ex.authenticationEntryPoint((request, response, authException) ->
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage())))
.httpBasic(withDefaults())
.build();
}
@Bean
@Order(3)
public SecurityFilterChain apiSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.securityMatcher(new AntPathRequestMatcher(ApiEndPoint.SecurePaths.API))
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults()))
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.addFilterBefore(new JwtAccessTokenFilter(rsaKeyRecord, jwtTokenUtils), UsernamePasswordAuthenticationFilter.class)
.exceptionHandling(ex -> {
log.error("SecurityConfig :: apiSecurityFilterChain Exception due to :{}", ex);
ex.authenticationEntryPoint(new BearerTokenAuthenticationEntryPoint());
ex.accessDeniedHandler(new BearerTokenAccessDeniedHandler());
})
.httpBasic(withDefaults())
.build();
}
@Bean
@Order(4)
public SecurityFilterChain refreshTokenSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.securityMatcher(new AntPathRequestMatcher(ApiEndPoint.SecurePaths.REFRESH_TOKEN))
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults()))
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.addFilterBefore(new JwtRefreshTokenFilter(rsaKeyRecord, jwtTokenUtils, refreshTokenRepository), UsernamePasswordAuthenticationFilter.class)
.exceptionHandling(ex -> {
log.error("SecurityConfig :: refreshTokenSecurityFilterChain Exception due to :{}", ex);
ex.authenticationEntryPoint(new BearerTokenAuthenticationEntryPoint());
ex.accessDeniedHandler(new BearerTokenAccessDeniedHandler());
})
.httpBasic(withDefaults())
.build();
}
@Bean
@Order(5)
public SecurityFilterChain logoutSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.securityMatcher(new AntPathRequestMatcher(ApiEndPoint.SecurePaths.LOGOUT))
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults()))
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.addFilterBefore(new JwtAccessTokenFilter(rsaKeyRecord, jwtTokenUtils), UsernamePasswordAuthenticationFilter.class)
.logout(logout -> logout
.logoutUrl("/logout")
.addLogoutHandler(logoutHandlerService)
.logoutSuccessHandler(((request, response, authentication) -> SecurityContextHolder.clearContext()))
)
.exceptionHandling(ex -> {
log.error("SecurityConfig :: logoutSecurityFilterChain Exception due to :{}", ex);
ex.authenticationEntryPoint(new BearerTokenAuthenticationEntryPoint());
ex.accessDeniedHandler(new BearerTokenAccessDeniedHandler());
})
.httpBasic(withDefaults())
.build();
}
@Bean
@Order(6)
public SecurityFilterChain registerSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.securityMatcher(new AntPathRequestMatcher(ApiEndPoint.SecurePaths.SIGN_UP))
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth ->
auth.anyRequest().permitAll())
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.build();
}
@Order(7)
@Bean
public SecurityFilterChain googleOAuth2SecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.securityMatcher(new AntPathRequestMatcher("/oauth2/**"))
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> auth
.requestMatchers("/oauth2/**", "/login/oauth2/**", "/login").permitAll()
.anyRequest().authenticated()
)
.oauth2Login(oauth2 -> oauth2
.loginPage("/login")
.defaultSuccessUrl("/dashboard", true)
.failureUrl("/login?error=true")
.userInfoEndpoint(userInfo -> userInfo.userService(googleOAuth2Service))
.successHandler((request, response, authentication) -> {
DefaultOAuth2User oauth2User = (DefaultOAuth2User) authentication.getPrincipal();
String token = oauth2User.getAttribute("token");
response.addHeader(HttpHeaders.AUTHORIZATION, "Bearer " + token);
})
)
.exceptionHandling(ex -> ex
.authenticationEntryPoint(new CustomOAuth2AuthenticationEntryPoint())
.accessDeniedHandler(new CustomAccessDeniedHandler())
)
.logout(logout -> logout
.logoutUrl("/logout")
.logoutSuccessUrl("/login?logout=true")
.addLogoutHandler(logoutHandlerService)
)
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.build();
}
}
请找出此文件中的问题。
@order从0开始 您可以尝试使用 @Order(0) 并遵循相应的订单吗 也许之前的安全检查正在破坏您的安全过滤链