問題描述

我正在關注 此 auth0 的教程 以確保我的應用程序使用 JWT.

I'm following this auth0's tutorial to secure my application using JWT.

我最終得到了以下 WebSecurity 配置:

I've ended up with the following WebSecurity configuration:

@EnableWebSecurity
@AllArgsConstructor(onConstructor = @__(@Autowired))
public class WebSecurity extends WebSecurityConfigurerAdapter {

    private final UserDetailsService userDetailsService;
    private final BCryptPasswordEncoder passwordEncoder;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                .and().cors()
                .and().csrf()
                .disable()
                .authorizeRequests()
                .antMatchers(HttpMethod.POST, REGISTER_URL).permitAll()
                .antMatchers(HttpMethod.POST, LOGIN_URL).permitAll()
                .anyRequest().authenticated()
                .and()
                .addFilter(new JWTAuthorizationFilter(authenticationManager()))
                .addFilter(new JWTAuthenticationFilter(authenticationManager()))
                // This disables session creation on Spring Security
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
    }

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
        return source;
    }

}

以及以下 JWTAuthenticationFilter:

and the following JWTAuthenticationFilter:

public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {

    private final AuthenticationManager authenticationManager;

    public JWTAuthenticationFilter(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        try {
            ApplicationUser credentials = new ObjectMapper().readValue(request.getInputStream(), ApplicationUser.class);
            return authenticationManager.authenticate(
                    new UsernamePasswordAuthenticationToken(
                            credentials.getUsername(),
                            credentials.getPassword(),
                            new ArrayList<>()
                    )
            );
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
        String token = Jwts.builder()
                .setSubject(((User) authResult.getPrincipal()).getUsername())
                .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
                .signWith(SignatureAlgorithm.HS512, SECRET.getBytes())
                .compact();
        response.addHeader(HEADER_STRING, TOKEN_PREFIX + token);
    }
}

目前，該應用接受 /login URL 上的 POST 請求.我想知道如何將 URL 更改為，比如說，/api/auth/login.有沒有辦法將 URL 字符串注入身份驗證過濾器或以某種方式在安全配置中進行設置?

At the moment, the app accepts POST requests on the /login URL. I wonder how to change the URL to, let's say, /api/auth/login. Is there any way to inject the URL string into the authentication filter or to set it somehow in the security config?

推薦答案

你正在擴展 org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter 本身擴展org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.在這最后一個類中，有一個名為 setFilterProcessesUrl 的設置器，它的目的就是這樣做:

You are extending org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter which itself extends org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter. In this last class, there is a setter called setFilterProcessesUrl which is intended to do just this:

setFilterProcessesUrl

public void setFilterProcessesUrl(String filterProcessesUrl)

public void setFilterProcessesUrl(String filterProcessesUrl)

設置確定是否需要身份驗證的 URL

Sets the URL that determines if authentication is required

參數:filterProcessesUrl

Parameters: filterProcessesUrl

This 是指向該 javadoc 部分的鏈接

This is the link to that javadoc section

所以在你的 WebSecurityConfigurerAdapter 你可以這樣做:

So in your WebSecurityConfigurerAdapter you could do just like this:

@Bean
public JWTAuthenticationFilter getJWTAuthenticationFilter() {
    final JWTAuthenticationFilter filter = new JWTAuthenticationFilter(authenticationManager());
    filter.setFilterProcessesUrl("/api/auth/login");
    return filter;
}

然后在同一個類的 configure 方法中只引用它而不是創建新實例:

And then in your configure method in the same class just reference it instead of creating new instance:

.addFilter(getJWTAuthenticationFilter())

這篇關于在 Spring Security UsernamePasswordAuthenticationFilter JWT 身份驗證中設置自定義登錄 url的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！