JWTスプリングセキュリティ認証フィルタは、この記事によれば、私はスプリングセキュリティ基準を使用してJWTとRESTセキュリティを作ったヘッダ情報

Question

をlostsリクエスト：リクエスト私のフィルタを処理するとき

public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFilter { 

public JwtAuthenticationFilter() { 
    super("/**"); 
} 

@Override 
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) { 
    return true; 
} 

@Override 
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { 

    String header = request.getHeader("Authorization"); 

    if (header == null || !header.startsWith("Bearer ")) { 
     throw new JwtTokenMissingException("No JWT token found in request headers"); 
    } 

    String authToken = header.substring(7); 

    JwtAuthenticationToken authRequest = new JwtAuthenticationToken(authToken); 

    return getAuthenticationManager().authenticate(authRequest); 
} 

@Override 
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) 
     throws IOException, ServletException { 
    super.successfulAuthentication(request, response, chain, authResult); 

    // As this authentication is in HTTP header, after success we need to continue the request normally 
    // and return the response as if the resource was not secured at all 
    chain.doFilter(request, response); 
} 
} 

だから、毎回、オブジェクトとアプリがそのユーザーが認証されていない答え与え承認とのHttpServletRequest内の他のヘッダ情報を見つけることができません。 JWTセキュリティフィルタを無効にすると、同じ要求にすべてのヘッダーが含まれます。

この問題を解決するにはどのようなアイデアがありますか？

私の設定ファイルは次のとおりです。

?xml version="1.0" encoding="UTF-8"?> 
<beans:beans 
    xmlns="http://www.springframework.org/schema/security" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xsi:schemaLocation=" 
     http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-4.2.xsd 
    http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-4.2.xsd"> 

<!--activate @PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize annotations on any spring beans in the context--> 
<global-method-security pre-post-annotations="enabled" /> 

<!--define the login and signup endpoints to skip security--> 
<http pattern="/authenticate" security="none"/> 

<!--we define the filter chain applied to all requests while adding two important configs: Entry point reference and --> 
<!--setting the session creation to stateless (we do not want the session created for security purposes as --> 
<!--we are using tokens for each request)--> 
<http pattern="/**" entry-point-ref="restAuthenticationEntryPoint" create-session="stateless"> 
    <!--We do not need csrf protection because our tokens are immune to it--> 
    <csrf disabled="true"/> 
    <!--we plug in our special authentication filter within the Spring’s predefined filter chain,--> 
    <!--just before the form login filter--> 
    <custom-filter before="FORM_LOGIN_FILTER" ref="jwtAuthenticationFilter"/> 
</http> 

<!--This bean is the declaration of our authentification filter; since it is extending Spring’s --> 
<!--AbstractAuthenticationProcessingFilter, we need to declare it in XML to wire its properties --> 
<!--(auto wire does not work here)--> 
<beans:bean id="jwtAuthenticationFilter" class="by.eventcat.rest.security.JwtAuthenticationFilter"> 
    <beans:property name="authenticationManager" ref="authenticationManager" /> 
    <!--The default success handler of AbstractAuthenticationProcessingFilter is not good enough for REST purposes --> 
    <!--because it redirects the user to a success page; that is why we set our own here--> 
    <beans:property name="authenticationSuccessHandler" ref="jwtAuthenticationSuccessHandler" /> 
</beans:bean> 

<authentication-manager alias="authenticationManager"> 
    <!--The declaration of the provider created by the authenticationManager is used by our filter to authenticate users--> 
    <authentication-provider ref="jwtAuthenticationProvider" /> 
</authentication-manager> 

<beans:bean id="restAuthenticationEntryPoint" class="by.eventcat.rest.security.RestAuthenticationEntryPoint"/> 
<beans:bean id="jwtAuthenticationProvider" class="by.eventcat.rest.security.JwtAuthenticationProvider"/> 
<beans:bean id="jwtUtil" class="by.eventcat.rest.security.JwtUtil"/> 

Answer 1

私は自分のアプリケーションCORSの設定に追加した、responceではなく、ご要望に応じていないだけに影響を与えます。

<!--CORS configuration--> 
<filter> 
    <filter-name>corsFilter</filter-name> 
    <filter-class>by.eventcat.rest.MyCorsFilter</filter-class> 
</filter> 
<filter-mapping> 
    <filter-name>corsFilter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

をそしてMyCorsFilterは、次のとおりです：だから、私のweb.xmlに私が追加した

public class MyCorsFilter extends CorsFilter { 

public MyCorsFilter() { 
    super(configurationSource()); 
} 

private static UrlBasedCorsConfigurationSource configurationSource() { 
    CorsConfiguration config = new CorsConfiguration(); 
    config.addAllowedOrigin("*"); 
    config.addAllowedMethod("*"); 
    config.addAllowedHeader("*"); 
    config.setAllowCredentials(true); 
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); 
    source.registerCorsConfiguration("/**", config); 
    return source; 
} 

}