Spring Security: ApikeyauthenticationFilter не выполняет до jwtauthfilter в Api Gateway ⇐ JAVA

[Anonymous]

У меня есть настройка безопасности пружины, где: < /p>
jwtauthfilter - это распространенный фильтр аутентификации, используемый во всех модулях. Apikeyauthenticationfilter никогда не применяется. Мне нужно сначала выполнять Apikeyauthenticationfilter, а затем jwtauthfilter.

Код: Выделить всё

@Configuration
@EnableWebSecurity
@Order(-1)
public class APIGatewaySecurityConfiguration {

@Autowired
APIKeyAuthenticationFilter authFilter;

@Bean
@Order(1)  // Ensure ordering in security filter chain
public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthenticationEntryPoint authenticationEntryPoint) throws Exception {
http.csrf(csrf -> csrf.disable())
.authorizeHttpRequests(auth -> auth
.requestMatchers("/pzp/**").authenticated()
.anyRequest().authenticated()
)
.addFilterBefore(authFilter, UsernamePasswordAuthenticationFilter.class) // API Key filter should execute first
.exceptionHandling(exception -> exception.authenticationEntryPoint(authenticationEntryPoint));

return http.build();
}
}

apikeyauthenticationfilter:

Код: Выделить всё

@Component
@Order(-1)
public class APIKeyAuthenticationFilter extends OncePerRequestFilter {

@Autowired
APIKeyAuthenticationProvider provider;

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
String apiKey = request.getHeader("apiKey");
if (apiKey == null || apiKey.isEmpty()) {
filterChain.doFilter(request, response);
return;
}

try {
Authentication authRequest = new APIKeyAuthenticationToken(apiKey);
Authentication authResult = provider.authenticate(authRequest);
SecurityContextHolder.getContext().setAuthentication(authResult);
} catch (AuthenticationException e) {
SecurityContextHolder.clearContext();
}

filterChain.doFilter(request, response);
}
}

Конфигурация безопасности для jwtauthfilter:

Код: Выделить всё

@Configuration
@EnableWebSecurity
@Order(99) // Should run after API Gateway security configuration
public class OAuth2SecurityConfiguration {

private final Logger logger = LoggerFactory.getLogger(OAuth2SecurityConfiguration.class);

@Autowired
RemoteTokenServices wSO2TokenServices;

@Autowired
OAuth2AuthenticationManager oAuth2AuthenticationManager;

@Autowired
AuthProperties authProperties;

@Autowired
JwtAuthFilter jwtAuthFilter;

@Autowired
CommonAbstractLogFilter commonAbstractLogFilter;

@PostConstruct
public void done() {
logger.info("Initialization completed for OAuth2SecurityConfiguration");
}

@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {
return authConfig.getAuthenticationManager();
}

@Bean
@Order(10) // Should execute after APIKeyAuthenticationFilter in API Gateway
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http.csrf(csrf -> csrf.disable())
.authorizeHttpRequests(auth -> auth
.requestMatchers(getAntPathRequestMatchers()).anonymous()
.requestMatchers(new AntPathRequestMatcher("/**", HttpMethod.OPTIONS.toString())).permitAll()
.requestMatchers(new AntPathRequestMatcher("/pzp/**")).permitAll()
.anyRequest().authenticated()
)
.sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.headers(headers -> headers.addHeaderWriter((request, response) ->  {
response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
response.addHeader("Access-Control-Allow-Headers", "Authorization, Content-Type");
}))
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class) // Should execute after APIKeyAuthenticationFilter
.addFilterAfter(commonAbstractLogFilter, JwtAuthFilter.class)
.build();
}

private AntPathRequestMatcher[] getAntPathRequestMatchers() {
String[] urls = authProperties.getAnonymousURLs();
AntPathRequestMatcher[] requestMatchers = new AntPathRequestMatcher[urls.length + 1];
for (int i = 0; i < urls.length; i++) {
requestMatchers[i] = new AntPathRequestMatcher(urls[i]);
}
requestMatchers[urls.length] = new AntPathRequestMatcher("/api/v1/login");
return requestMatchers;
}

@Bean
public WebSecurityCustomizer webSecurityCustomizer() throws Exception {
String[] urls = authProperties.getAnonymousURLs();

logger.info("Ignored list of resources {} ", authProperties.getAnonymousURLs());

Set matchers = new HashSet();
for (String url : urls) {
matchers.add(new AntPathRequestMatcher(url));
}

return web -> web.ignoring().requestMatchers(matchers.toArray(new AntPathRequestMatcher[0]))
.requestMatchers(new AntPathRequestMatcher("/**", HttpMethod.OPTIONS.toString()));
}
}

jwtauthfilter (глобальный фильтр аутентификации для всех модулей):
@Component
@Order(10) // Should execute after APIKeyAuthenticationFilter in API Gateway
public class JwtAuthFilter extends OncePerRequestFilter {

@Autowired
private JwtService jwtService;

@Autowired
AccessTokenConverter accessTokenConverter;

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
String authHeader = request.getHeader("Authorization");
if (authHeader == null || !authHeader.startsWith("Bearer ")) {
filterChain.doFilter(request, response);
return;
}

try {
String token = authHeader.substring(7);
Jwt jwt = jwtService.extractJwt(token);
AbstractAuthenticationToken authentication = accessTokenConverter.convert(jwt);
SecurityContextHolder.getContext().setAuthentication(authentication);
} catch (Exception e) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return;
}

filterChain.doFilter(request, response);
}
}
< /code>
Проблема:
В шлюзе API jwtauthfilter выполняется до apikeyauthenticationfilter, но мне нужно сначала apikeyauthenticationfilter. пропущен. Цените все понимание при правильном заказе фильтров в Spring Boot 3. **

Подробнее здесь: https://stackoverflow.com/questions/795 ... thfilter-i