リクエストヘッダーにカスタムトークンに基づく認証を実装しようとしています。カスタムトークンに基づく認証
私はthis questionの受け入れられた答えを読んで、カスタムトークン、フィルタ、および認証プロバイダを作成しました。
問題:
私は "GET /ログイン" してみてください:
- フィルタは
- と呼ばれるトークンはauthenticationProviderが呼び出されない
- が作成されます。そのメソッドも
supports
は呼び出されません!
ブラウザコンソールでは、/login
への2 HTTP 302
の呼び出しがあります。
EDIT:実際には、認証プロバイダは、エンドポイントを角度から呼び出す(AJAX/XHR呼び出しの結果)場合にのみ無視されます。 Postmanからエンドポイントを呼び出すと、認証プロバイダが呼び出されます。
EDIT:春のセキュリティデバッグログ:
2016-10-27 19:57:46.724 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.Hs[email protected]
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/logout'
2016-10-27 19:57:46.725 DEBUG 9752 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /login at position 5 of 10 in additional filter chain; firing Filter: 'MyFilter'
2016-10-27 19:57:46.726 DEBUG 9752 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2016-10-27 19:57:46.726 DEBUG 9752 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2016-10-27 19:57:46.768 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /login at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-10-27 19:57:46.769 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /login at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-10-27 19:57:46.769 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-10-27 19:57:46.770 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-10-27 19:57:46.770 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /login at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]43bffae5
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /login at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/logout'
2016-10-27 19:57:46.771 DEBUG 9752 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /login at position 5 of 10 in additional filter chain; firing Filter: 'MyFilter'
2016-10-27 19:57:46.772 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : HttpSession being created as SecurityContext is non-default
2016-10-27 19:57:46.774 DEBUG 9752 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : SecurityContext stored to HttpSession: '[email protected]085d: Authentication: [email protected]: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities'
2016-10-27 19:57:46.774 DEBUG 9752 --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
トークン:
public class MyToken extends AbstractAuthenticationToken {
private String token;
public MyToken(String token) {
super(null);
this.token = token;
}
@Override
public Object getCredentials() {
return token;
}
@Override
public Object getPrincipal() {
return null;
}
}
フィルタ:
public class MyFilter extends AbstractAuthenticationProcessingFilter {
public MyFilter() {
super("/login");
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
String x_token = request.getHeader("x_token");
String method = request.getMethod();
if(x_token != null && method.equals("GET")) {
return new MyToken(x_token);
}
return null;
}
}
認証プロバイダ:
@Component
public class MyAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
MyToken token = (MyToken) authentication;
if(token.getCredentials() != null) {
token.setAuthenticated(true);
return token;
}
return null;
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(MyToken.class);
}
}
そして最後に、セキュリティ設定:あなたはAbstractAuthenticationProcessingFilter
のカスタムサブクラスでAuthenticationManager
を呼び出す必要があり
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private MyAuthenticationProvider myAuthenticationProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
// configure filters
http.addFilterBefore(new MyFilter(), UsernamePasswordAuthenticationFilter.class);
// configure authentication providers
http.authenticationProvider(myAuthenticationProvider);
// disable csrf
http.csrf().disable();
// setup security
http.authorizeRequests()
.anyRequest()
.fullyAuthenticated()
.and().httpBasic();
}
}
を追加しましたバネ - セキュリティDEBUGログを@dur。また、XHRの代わりに通常の要求でエンドポイントを呼び出すと、認証プロバイダが呼び出されることがわかりました。 –
@durこのクラスについて知らなかったし、持っていない。私は宣言しようとしましたが、呼び出されません。私は次の質問を見て、受け入れられた答えが 'AuthenticationProvider'のリストを与えることによって' AuthenticationManager'を構築することにあることを発見しました。それは 'AuthenticationProvider'を' HttpSecurity'に与えるのと同じことでしょうか? http://stackoverflow.com/questions/31826233/custom-authentication-manager-with-spring-security-and-java-configuration –