Cześć,
mam jakiś kretyński kłopot: otóż chcę aby dwa endpointy /user/register
oraz /user/login
były dostępne bez sprawdzania JWT..
Tak wygląda mój SecurityConfig
:
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
@EnableGlobalMethodSecurity(
securedEnabled = true,
jsr250Enabled = true,
prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final CustomUserDetailsService userDetailsService;
private final AuthenticationHandler authenticationHandler;
private final AuthenticationFilter jwtAuthenticationFilter;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean(BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf().disable()
.exceptionHandling()
.authenticationEntryPoint(authenticationHandler)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/user/register").permitAll()
.antMatchers("/login").permitAll()
.anyRequest().authenticated();
http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}
oraz Filter
@Component
public class AuthenticationFilter extends OncePerRequestFilter {
private static final String AUTHORIZATION_HEADER = "authorization";
private final JWTTokenManager jwtTokenManager;
private final CustomUserDetailsService userDetails;
public AuthenticationFilter (
final JWTTokenManager jwtTokenManager, final CustomUserDetailsService userDetails
) {
this.jwtTokenManager = jwtTokenManager;
this.userDetails = userDetails;
}
@Override
protected void doFilterInternal (
final HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse,
final FilterChain filterChain
) throws ServletException, IOException {
String token = getTokenFromHeaders(httpServletRequest);
if(jwtTokenManager.verify(token)) {
UserDetails user = userDetails.loadUserByUUID(jwtTokenManager.getUUID(token));
UsernamePasswordAuthenticationToken authentication =
new UsernamePasswordAuthenticationToken(
user, null, user.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpServletRequest));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
filterChain.doFilter(httpServletRequest, httpServletResponse);
}
private String getTokenFromHeaders(HttpServletRequest request) throws ServletException{
String bearerToken = request.getHeader(AUTHORIZATION_HEADER);
if (StringUtils.isEmpty(bearerToken) || !bearerToken.startsWith("Bearer "))
throw new ServletException("Missing or invalid Authorization header");
return bearerToken.substring(7);
}
}
no i nadal na endpointach lecą mi 401
... Ma ktoś pomysły jak takie proste Security - rejestracja, logowanie, sprawdzanie JWT na endpointach stworzyć albo w Springu, albo i bez niego? Ew. jak rozwiązać ten problem.
500
zamiast401