1.一开始使用requestMatchers().permitAll(),发现加入里面的url还是被拦截,在网上查找后使用了 WebSecurityCustomizer ignoringCustomizer()。
@Bean
public WebSecurityCustomizer ignoringCustomizer() {
return (web) -> web.ignoring().requestMatchers(
"/auth/**"
);
}
2.使用web.ignoring()后对应请求没有被拦截,但是进行到后面的时候,我发现SecurityContext无法获取对应的信息。查找资料后发现是因为web.ignoring()是不会经过过滤链的,但是前面的requestMatchers会经过过滤链。没有经过过滤链的话就不会经过Security,Security就无法获得对应的登录用户信息就会拒绝。
3.再次查找资料后发现解决这个的办法是,使用requestMatchers().permitAll(),但是需要在filter中设定匿名用户的身份验证信息ROLE_ANONYMOUS。
4.解决完之后,请求url没有被拦截了,然后我又出现输入账号密码是正确的,但是又一直不通过的情况。查找资料发现Security中默认是把对应密码的明文,和数据库中密码的密文进行比较。就是说,你需要保证使用前端的明文密码,然后数据库中存储的是密文密码。
最终我的jwtfilter代码
package com.example.blog.filter;
import com.example.blog.model.SecurityUser;
import com.example.blog.service.UserService;
import com.example.blog.utils.JwtUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.BufferedReader;
import java.io.IOException;
public class JwtFilter extends OncePerRequestFilter {
private final UserDetailsService userDetailsService;
@Autowired
public JwtFilter(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
@Override
protected void doFilterInternal(
jakarta.servlet.http.HttpServletRequest request,
jakarta.servlet.http.HttpServletResponse response,
jakarta.servlet.FilterChain filterChain
) throws IOException, jakarta.servlet.ServletException {
String authorizationHeader = request.getHeader("Authorization");
String authorizationUrl = request.getParameter("token");
String username = null;
String token = null;
if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
token = authorizationHeader.substring(7);
}
if (authorizationUrl != null) {
token = authorizationUrl;
}
if (token != null) {
try {
username = JwtUtil.extractUsername(token);
} catch (Exception e) {
logger.error("Failed to extract username from token", e);
}
if (username != null && JwtUtil.validateToken(token, username)) {
SecurityUser securityUser = (SecurityUser) userDetailsService.loadUserByUsername(username);
// 构建用户认证
UsernamePasswordAuthenticationToken authenticationToken =
new UsernamePasswordAuthenticationToken(securityUser, securityUser.getPassword(), securityUser.getAuthorities());
authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
// 放入 SecurityContext 中,方便后续获取当前用户信息
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
System.out.println("userDetails.getUsername():"+securityUser.getUser().getUsername());
} else {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid or expired token");
return;
}
} else {
// 设置 ROLE_ANONYMOUS
AnonymousAuthenticationToken anonymousToken = new AnonymousAuthenticationToken(
"key", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
SecurityContextHolder.getContext().setAuthentication(anonymousToken);
System.out.println("ROLE_ANONYMOUS");
}
filterChain.doFilter(request, response);
}
}