move apis from filter to ignore
This commit is contained in:
parent
14b4c64c24
commit
b330e4b4d7
@ -60,7 +60,10 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
public void configure(WebSecurity web) throws Exception {
|
||||
// TODO: we should use a better way to match the resources
|
||||
// requests for resource and auth api are always allowed
|
||||
web.ignoring().antMatchers("/", "/*.html", "/**/*.js", "/**/*.css", "/favicon.ico", "/**/*.html", "/**/*.map", "/**/*.svg", "/console-fe/public/*", "/**/*.png", "/*.png");
|
||||
web.ignoring()
|
||||
.antMatchers("/", "/*.html", "/**/*.js", "/**/*.css", "/favicon.ico", "/**/*.html", "/**/*.map", "/**/*.svg", "/console-fe/public/*", "/**/*.png", "/*.png")
|
||||
.antMatchers("/v1/auth/**")
|
||||
.antMatchers("/v1/cs/health");
|
||||
}
|
||||
|
||||
@Override
|
||||
@ -72,8 +75,6 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
} else {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/v1/cs/health").permitAll()
|
||||
.antMatchers("/v1/auth/**").permitAll()
|
||||
.anyRequest().authenticated().and()
|
||||
// custom token authorize exception handler
|
||||
.exceptionHandling()
|
||||
@ -94,7 +95,6 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
return new BCryptPasswordEncoder();
|
||||
}
|
||||
|
||||
@Bean
|
||||
public GenericFilterBean genericFilterBean() {
|
||||
return new JwtAuthenticationTokenFilter();
|
||||
}
|
||||
|
@ -32,12 +32,19 @@ public class JwtAuthenticationTokenFilter extends GenericFilterBean {
|
||||
HttpServletResponse httpRes = (HttpServletResponse) servletResponse;
|
||||
|
||||
String jwt = resolveToken(httpReq);
|
||||
// JWT为空,返回401
|
||||
if (!StringUtils.hasText(jwt)) {
|
||||
httpRes.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
||||
}
|
||||
// 验证JWT是否正确
|
||||
if (this.tokenProvider.validateToken(jwt)) {
|
||||
else if (this.tokenProvider.validateToken(jwt)) {
|
||||
//获取用户认证信息
|
||||
Authentication authentication = this.tokenProvider.getAuthentication(jwt);
|
||||
//将用户保存到SecurityContext
|
||||
SecurityContextHolder.getContext().setAuthentication(authentication);
|
||||
} else {
|
||||
// 验证失败返回403
|
||||
httpRes.setStatus(HttpServletResponse.SC_FORBIDDEN);
|
||||
}
|
||||
filterChain.doFilter(servletRequest, servletResponse);
|
||||
|
||||
|
@ -20,9 +20,10 @@ public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
|
||||
private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationEntryPoint.class);
|
||||
|
||||
@Override
|
||||
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
|
||||
throws IOException, ServletException {
|
||||
// 403
|
||||
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Authentication Failed");
|
||||
public void commence(HttpServletRequest httpServletRequest,
|
||||
HttpServletResponse httpServletResponse,
|
||||
AuthenticationException e) throws IOException, ServletException {
|
||||
logger.error("Responding with unauthorized error. Message - {}", e.getMessage());
|
||||
httpServletResponse.sendError(httpServletResponse.getStatus(), "Invalid token");
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user