Zrobiłem autentykację JWT i gdy zdefiniuję konfigurację gdzie mam mieć dostęp bez tokena, działa mi tylko 1 lokalizacja, a powinny wszystkie gdzie dam permitAll.
Wszedzie indziej wymagany jest token i nie mogę ustawić dostępu bez tokena do kilku lokalizacji.
Security config:
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
@Configuration
public class AdapterJWTSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth){
}
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable()
.httpBasic().disable()
.cors()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.POST,"/rest/user/**").permitAll()
.antMatchers(HttpMethod.POST,"rest/user/addUser").permitAll()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthorizationFilter(authenticationManagerBean()));
}
}
JWT filter:
package com.snokant.projekt.Configuration.JwtConfiguration;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.Claim;
import io.jsonwebtoken.*;
import io.jsonwebtoken.impl.crypto.MacProvider;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.DatatypeConverter;
import java.io.IOException;
import java.security.Key;
import java.util.ArrayList;
import java.util.Date;
public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
public JWTAuthorizationFilter(AuthenticationManager authManager) {
super(authManager);
}
@Override
protected void doFilterInternal(HttpServletRequest req,
HttpServletResponse res,
FilterChain chain) throws IOException, ServletException {
String token = req.getHeader(JwtConstants.HEADER_STRING);
if (token == null) {
try {
chain.doFilter(req, res);
} catch (JwtException e) {
System.out.println(e.getMessage());
}
return;
}
UsernamePasswordAuthenticationToken authentication = getAuthentication(req, res);
SecurityContextHolder.getContext().setAuthentication(authentication);
chain.doFilter(req, res);
}
private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request, HttpServletResponse response) throws IOException {
String token = request.getHeader(JwtConstants.HEADER_STRING);
if (token != null) {
Claims claims = validateToken(token);
if (claims != null) {
return new UsernamePasswordAuthenticationToken(claims, null, new ArrayList<>());
}
return null;
}
return null;
}
private Claims validateToken(String token) {
Claims claims = null;
try {
return Jwts.parser()
.setSigningKey(JwtConstants.SECRET)
.parseClaimsJws(token).getBody();
} catch (Exception e) {
return null;
}
}
}
UserController:
@CrossOrigin(origins = "*")
@RestController
@RequestMapping("/rest/user/")
public class UserController {
private UserService userService;
public UserController(UserService userService) {
this.userService = userService;
}
@PostMapping("addUser")
public List<String> addUser(@Valid @RequestBody User user,BindingResult bindingResult) {
return userService.addNewUser(user, bindingResult);
}
@PostMapping("signIn")
public List<String> generate(@Valid @RequestBody UserRequestLogin user) {
return userService.signIn(user);
}
}
