REST风格的授权检查

Question

我有一个RESTful Web应用程序，想实现一个基于令牌的认证。我能够发出令牌拦截与过滤器类的请求如下：

public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

    @Autowired 
    JpaConfiguration jpaConfiguration; 
    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     // disable caching 
     http.headers().cacheControl();   
     http.csrf().disable() // disable csrf for our requests. 
      .authorizeRequests() 
      .antMatchers("/").permitAll() 
      .antMatchers(HttpMethod.POST, "/login").permitAll() 
      .anyRequest().authenticated() 
      .and() 
      // Here the login requests is filtered 
      .addFilterBefore(new JWTLoginFilter("/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class) 
      // Much probably here I have to filter other requests to check the presence of JWT in header, 
      // here i just add a commented block with teh name of the Filter 
       //.addFilterBefore(new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class) 
       ; 
      } 
    } 

的JWTLoginFilter类看起来是这样的：

public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter { 

    private TokenAuthenticationService tokenAuthenticationService; 
public JWTLoginFilter(String url, AuthenticationManager authenticationManager) { 
    super(new AntPathRequestMatcher(url)); 
    setAuthenticationManager(authenticationManager); 
    tokenAuthenticationService = new TokenAuthenticationService(); 
} 

@Override 
public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) 
throws AuthenticationException, IOException, ServletException { 
    ServletInputStream inputStream = httpServletRequest.getInputStream(); 
    httpServletRequest.getCharacterEncoding(); 

    ObjectMapper mapper = new ObjectMapper(); 
    AccountCredentials credentials = mapper.readValue(inputStream, AccountCredentials.class); 

    UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(credentials.getUsername(), credentials.getPassword()); 
    return getAuthenticationManager().authenticate(token); 
} 
@Override 
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication) 
throws IOException, ServletException { 
    String name = authentication.getName(); 
    tokenAuthenticationService.addAuthentication(response, name); 
    } 
} 

哪个类应以拦截请求延长JWTAuthenticationFilter ？

是它仍然是AbstractAuthenticationProcessingFilter类？

有没有更好的方式来开发基于令牌的认证？

Answer 1

所以，我终于找到一个解决方案：

public class JWTAuthenticationFilter extends GenericFilterBean implements Filter { 

    @Override 
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 
      throws IOException, ServletException { 
     try{ 
      ... 

      SecurityContextHolder.getContext().setAuthentication(token); 
      chain.doFilter(servletRequest, response); 
     }catch(Exception e){ 
      e.printStackTrace(); 
     } 
    } 
} 

的JWTAuthenticationFilter延伸GenericFilterBean类必须实施弹簧安全过滤器，方法od doFilter可以做到这一点。

注意：您必须调用FilterChain类别中的doFilter方法，以使您更新来端点，我对此感到疯狂。

Answer 2

我不知道到底为什么被使用JWTLoginFilter。我正在开发一个开发由OAuth2保护的RESTful的项目。总的来说，请求者必须将访问令牌与REST API一起传递以进行授权。

下面是例子，可能是参考

@Configuration 
@EnableResourceServer 
public class Oauth2AuthConfiguration implements ResourceServerConfigurer { 
     @Autowired 
     private OAuth2RemoteTokenServices tokenServices; 

     @Override 
     public void configure(ResourceServerSecurityConfigurer resources) throws Exception { 
      resources.tokenServices(tokenServices); 
     } 

     @Override 
     public void configure(HttpSecurity httpSecurity) throws Exception { 
     httpSecurity.exceptionHandling() 
      .accessDeniedHandler(new PPDAccessDeniedHandler()) 
      .authenticationEntryPoint(new PPDAuthenticationEntryPoint()) 
      .and() 
     .authorizeRequests() 
      .antMatchers(POST, "/api/test").hasAuthority("PARTNER"); 
     } 
} 

OAuth2RemoteTokenServices.java

public class OAuth2RemoteTokenServices implements ResourceServerTokenServices{ 
    //implement how you can validate token here 
    // reference: org.springframework.security.oauth2.provider.token.RemoteTokenServices 
}