以下配置(filterChain)在 SpringBoot-2.7.5 中工作正常,但在我尝试在 SpringBoot-3.0.0-RC1 中测试它之后,它不起作用并显示以下消息,如果想要迁移,我需要更改任何内容到 Spring-Boot-3.0.0。谢谢。
{
“时间戳”:1667794247614,
“状态”:401,
"error": "未经授权",
"message": "在 SecurityContext 中未找到身份验证对象",
“路径”:“/api/admin/1”}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.exceptionHandling().authenticationEntryPoint(jwtAuthenticationProvider).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.antMatchers("/**").permitAll()
// private endpoints
.anyRequest().authenticated();
http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
以下是jwtTokenFilter:
@Component
public class **JwtTokenFilter** extends OncePerRequestFilter {
@Autowired
private JwtTokenUtil jwtTokenUtil;
@Autowired
private JPAUserDetailService jpaUserDetailService;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
// Get authorization header and validate
final String header = request.getHeader(HttpHeaders.AUTHORIZATION);
if (isEmpty(header) || !header.startsWith("Bearer ")) {
chain.doFilter(request, response);
return;
}
// Get jwt token and validate
final String token = header.split(" ")[1].trim();
if (!jwtTokenUtil.validate(token)) {
chain.doFilter(request, response);
return;
}
// Get user identity and set it on the spring security context
UserDetails userDetails = jpaUserDetailService.loadUserByUsername(jwtTokenUtil.getUsername(token));
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, (userDetails == null ? null : userDetails.getAuthorities()));
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
chain.doFilter(request, response);
}
}
在 Spring Security 6 中,默认行为是SecurityContextHolderFilter
只会读取SecurityContext
from SecurityContextRepository
并将其填充到SecurityContextHolder
。用户现在必须明确保存SecurityContext
与SecurityContextRepository
如果他们想要SecurityContext
在请求之间保持不变。只需写入即可消除歧义并提高性能SecurityContextRepository
(i.e. HttpSession
)当有必要时。
SecurityContextHolder.setContext(securityContext);
securityContextRepository.saveContext(securityContext, httpServletRequest, httpServletResponse);
See https://docs.spring.io/spring-security/reference/5.8/migration.html#_explicit_save_securitycontextrepository
如果这不起作用,请尝试返回到 5.x 默认值:
http
.securityContext((securityContext) ->
.requireExplicitSave(false)
)
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)