У меня есть аутентифицированный класс, который расширяет org.springframework.security.core.userdetails.user. Он построен из jwt. < /P>
Каждый запрос из браузера имеет JWT, прикрепленный к запросу. Страницы либо защищены, либо публики. Если страница защищена, мой @AuthenticationPrincipal AuthenticatedUser Принципал заполняется, но если страница не защищена, моя @AuthenticationPrincipal AuthenticatedUser Principal не заполнена. И проблема возникает здесь. Теперь у меня есть случай, когда я хочу получить @AuthenticationPrincipal AuthenticatedUser Principal , даже если страница не защищена. Но теперь на незащищенных страницах мой @AuthenticationPrincipal AuthenticatedUser Принципал кажется нулевым, хотя я отправляю jwt.
@Configuration
@EnableWebSecurity
public class ResourceServerConfig {
private final List protectedPaths = List.of(
"/secret/*/**",
"/private"
);
// here if I add the public into the list principal is populated but the anon users cannot access the public link. If I don't add the public link then principal appears to be null.
@Bean
@Order(2)
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.securityMatchers(customizer -> customizer.requestMatchers(protectedPaths.toArray(new String[0])))
.csrf().disable()
.authorizeHttpRequests(requests -> requests.anyRequest().authenticated())
.oauth2ResourceServer()
.jwt(customizer -> customizer.jwtAuthenticationConverter(new UserAuthenticationTokenConverter()));
return http.build();
}
}
< /code>
и мой контроллер: < /p>
@GetMapping(path = "/public/{id}")
public ListingDetailedView
findById(@PathVariable String id, @AuthenticationPrincipal AuthenticatedUser principal) {
// here principal is null
return listingService.findBySearchId(id, principal);
}
< /code>
Как я могу заполнить принципал на не защищенных страницах? < /p>
@Configuration
@RequiredArgsConstructor
public class PartnerResourceServerConfig {
private final PartnerUserDetailsService userDetailsService;
private final AuthenticationFailureHandler failureHandler;
@Bean
@Order(1)
public SecurityFilterChain partnerSecurityFilterChain(HttpSecurity http) throws Exception {
AuthenticationManagerBuilder authManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class);
authManagerBuilder.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
var authenticationManager = authManagerBuilder.build();
http.securityMatcher("/hidden/**")
.authorizeHttpRequests(customizer -> customizer.anyRequest().authenticated())
.authenticationManager(authenticationManager)
.addFilterBefore(partnerApiKeyAuthenticationFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class)
.csrf(AbstractHttpConfigurer::disable)
.sessionManagement(sessionManagementCustomizer -> sessionManagementCustomizer
.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
return http.build();
}
PartnerApiKeyAuthenticationFilter partnerApiKeyAuthenticationFilter(AuthenticationManager authenticationManager) {
var filter = new PartnerApiKeyAuthenticationFilter("/hidden/**");
filter.setAuthenticationFailureHandler(failureHandler);
filter.setAuthenticationManager(authenticationManager);
return filter;
}
}
< /code>
Дополнительные классы: < /p>
@NoArgsConstructor
public class UserAuthenticationTokenConverter implements Converter {
@Override
public AuthenticationToken convert(Jwt source) {
var authenticatedUser = AuthenticatedUser.from(source);
return new AuthenticationToken(source, authenticatedUser);
}
}
< /code>
AuthenticationToken: < /p>
public class AuthenticationToken extends AbstractAuthenticationToken {
private final Jwt jwt;
private final AuthenticatedUser authenticatedUser;
public AuthenticationToken(Jwt jwt, AuthenticatedUser authenticatedUser) {
super(List.of());
this.jwt = jwt;
this.authenticatedUser = authenticatedUser;
}
@Override
public Object getCredentials() {
return this.jwt;
}
@Override
public Object getPrincipal() {
return authenticatedUser;
}
@Override
public boolean isAuthenticated() {
return true;
}
}
< /code>
Упрощенное AuthenticatedUser: < /p>
@Getter
public class AuthenticatedUser extends User {
private final String id;
private final UserRole role;
private final String email;
private final boolean isPhoneVerified;
private AuthenticatedUser(String id, UserRole role, String email, String token,
boolean isPhoneVerified) {
super(id, token, true, true, true, true, List.of());
this.id = id;
this.role = role;
this.email = email;
this.isPhoneVerified = isPhoneVerified;
}
@SuppressWarnings("unchecked")
public static AuthenticatedUser from(Jwt jwt) {
var id = jwt.getSubject();
var roleClaim = jwt.getClaimAsString("type");
var userRole = UserRole.forValue(roleClaim);
var userEmail = jwt.getClaimAsString("email");
var isPhoneVerifiedString = jwt.getClaimAsBoolean("phone_number_verified");
var isPhoneVerified = isPhoneVerifiedString != null ? isPhoneVerifiedString : false;
return new AuthenticatedUser(id, userRole, userEmail, jwt.getTokenValue(), isPhoneVerified);
}
}
Подробнее здесь: https://stackoverflow.com/questions/794 ... ected-urls
