, однако я уже отключил его. < /p >
Код: Выделить всё
@Configuration
@EnableMethodSecurity
public class SecurityConfig {
private JwtAuthenticationEntryPoint authenticationEntryPoint;
private JwtAuthenticationFilter authenticationFilter;
@Value("${cors.allowedOrigin.url}")
private String originURL;
public SecurityConfig(UserDetailsService userDetailsService,
JwtAuthenticationEntryPoint authenticationEntryPoint,
JwtAuthenticationFilter authenticationFilter) {
this.authenticationEntryPoint = authenticationEntryPoint;
this.authenticationFilter = authenticationFilter;
}
@Bean
public static PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(7);
}
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration configuration) throws Exception {
return configuration.getAuthenticationManager();
}
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.csrf().disable()
.cors().configurationSource(corsConfigurationSource()).and()
.authorizeHttpRequests((authorize) ->
authorize
.requestMatchers("/USERMANAGEMENT/user/add/**","/login2", "/Logout**", "/refreshToken",
"/forgot/**", "/imgCategory/**", "/imgBank/**").permitAll()
.anyRequest().authenticated()
).exceptionHandling(exception -> exception
.authenticationEntryPoint(authenticationEntryPoint)
).sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
);
http.addFilterBefore(authenticationFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
CorsConfigurationSource corsConfigurationSource() {
final var configuration = new CorsConfiguration();
configuration.addAllowedOriginPattern(originURL);
configuration.setAllowedMethods(Arrays.asList("OPTIONS", "GET", "HEAD", "POST", "PATCH", "PUT", "DELETE"));
configuration.setAllowedHeaders(Arrays.asList("*"));
configuration.setExposedHeaders(Arrays.asList("*"));
final var source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
< /code>
@component
public class jwtauthenticationEntrypoint реализует аутентификацию.private static final Logger LOGGER = LoggerFactory.getLogger(JwtAuthenticationEntryPoint.class);
/**
* Method will perform authentication during access of secured resources
*
* @param request HttpServletRequest
* @param response HttpServletResponse
* @param authException AuthenticationException
* @throws IOException Exception
*/
@Override
public void commence(HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException) throws IOException {
LOGGER.error("JWT ERROR :", authException);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
}
< /code>
} < /p>
@component
public class jwtauthenticationfilter experrequestfilter {< /p>
private final JwtTokenProvider jwtTokenProvider;
private final UserDetailsService userDetailsService;
public JwtAuthenticationFilter(JwtTokenProvider jwtTokenProvider, UserDetailsService userDetailsService) {
this.jwtTokenProvider = jwtTokenProvider;
this.userDetailsService = userDetailsService;
}
/**
* @param request HttpServletRequest
* @param response HttpServletResponse
* @param filterChain FilterChain
* @throws ServletException Exception
* @throws IOException Exception
*/
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
String token = getTokenFromRequest(request);
// validate token
if (StringUtils.hasText(token) && jwtTokenProvider.validateToken(token)) {
// get username from token
String username = jwtTokenProvider.getUsername(token);
// load the user associated with token
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(
userDetails,
userDetails.getPassword(),
userDetails.getAuthorities()
);
authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
}
filterChain.doFilter(request, response);
}
/**
* @param request: HTTP Request
* @return String Token
*/
private String getTokenFromRequest(HttpServletRequest request) {
String bearerToken = request.getHeader("Authorization");
if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
return bearerToken.substring(7);
}
return null;
}
и журналы безопасности:
Неверный токен CSRF, найденный для http: // localhost: 8082/пользовательское управление/пользователь/добавить
2025-02-06t01:21:37.522+02:00 Отладка 23744 ---
Подробнее здесь: https://stackoverflow.com/questions/794 ... n-disabled
