Spring Boot 403, запрещенный запрос ⇐ JAVA

[Гость]

Я хотел бы задать вопрос об этой проблеме: 403 запрещенный запрос, я создал аутентификацию Spring авторизации, но эта проблема продолжает возникать, вот сценарий.
Я вошёл в свою учетную запись используя этот /api/v1/auth/sign-in, он вернет токен вместе с токеном обновления.
затем я копирую токен и перехожу к этой конечной точке /api/v1/user , запросите, используя метод get вместе с авторизацией с помощью токена на предъявителя, затем вставьте токен в качестве значения токена на предъявителя, но когда я запрашиваю 403, это запрещено.
**SecurityConfiguration **
package com.sherwin.dev.springsecurity.config;

import com.sherwin.dev.springsecurity.entity.Role;
import com.sherwin.dev.springsecurity.service.UserService;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {
private final JWTAuthenticationFilter jwtAuthenticationFilter;
private final UserService userService;

public SecurityConfiguration(JWTAuthenticationFilter jwtAuthenticationFilter, UserService userService) {
this.jwtAuthenticationFilter = jwtAuthenticationFilter;
this.userService = userService;
}

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.cors(AbstractHttpConfigurer::disable)
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(request ->
request.requestMatchers("/api/v1/auth/**")
.permitAll()
.requestMatchers("/api/v1/admin").hasAnyAuthority(Role.ADMIN.name())
.requestMatchers("/api/v1/user").hasAnyAuthority(Role.USER.name())
.anyRequest().authenticated())
.sessionManagement(manager -> manager.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authenticationProvider(authenticationProvider()).addFilterBefore(
jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class
);

return http.build();
}

@Bean
public AuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userService.userDetailsService());
authenticationProvider.setPasswordEncoder(passwordEncoder());
return authenticationProvider;
}

@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}

@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
return config.getAuthenticationManager();
}
}

**JWTAuthenticationFilter **
package com.sherwin.dev.springsecurity.config;

import com.sherwin.dev.springsecurity.service.JWTService;
import com.sherwin.dev.springsecurity.service.UserService;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

import java.io.IOException;

@Component
public class JWTAuthenticationFilter extends OncePerRequestFilter {
private final JWTService jwtService;
private final UserService userService;

public JWTAuthenticationFilter(JWTService jwtService, UserService userService) {
this.jwtService = jwtService;
this.userService = userService;
}

protected void doFilterInternal
(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
final String authHeader = request.getHeader("Authorization");
final String jwt;
final String userEmail;

//check if header is not empty
if (StringUtils.hasLength(authHeader) ||
!org.apache.commons.lang3.StringUtils.startsWith(authHeader, "Bearer ")) {
filterChain.doFilter(request, response);
return;
}
//get token
jwt = authHeader.substring(7);
userEmail = jwtService.extractUserName(jwt);

if (StringUtils.hasLength(userEmail) &&
SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = userService.userDetailsService().loadUserByUsername(userEmail);
if (jwtService.isTokenValid(jwt, userDetails)) {

SecurityContext securityContext = SecurityContextHolder.createEmptyContext();

UsernamePasswordAuthenticationToken token =
new UsernamePasswordAuthenticationToken
(userDetails, null, userDetails.getAuthorities());
token.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
securityContext.setAuthentication(token);
SecurityContextHolder.setContext(securityContext);
}
}

filterChain.doFilter(request, response);
}
}

**AuthenticationServiceImpl **
package com.sherwin.dev.springsecurity.service.impl;

import com.sherwin.dev.springsecurity.dto.JwtAuthenticationResponseDto;
import com.sherwin.dev.springsecurity.dto.RefreshTokenRequestDto;
import com.sherwin.dev.springsecurity.dto.SigninRequestDto;
import com.sherwin.dev.springsecurity.dto.SignupRequestDto;
import com.sherwin.dev.springsecurity.entity.User;
import com.sherwin.dev.springsecurity.mapper.UserMapper;
import com.sherwin.dev.springsecurity.repository.UserRepository;
import com.sherwin.dev.springsecurity.service.AuthenticationService;
import com.sherwin.dev.springsecurity.service.JWTService;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;

import java.util.HashMap;

@Service
public class AuthenticationServiceImpl implements AuthenticationService {
private final UserRepository userRepository;
private final PasswordEncoder passwordEncoder;
private final AuthenticationManager authenticationManager;
private final JWTService jwtService;

public AuthenticationServiceImpl(UserRepository userRepository,
PasswordEncoder passwordEncoder,
AuthenticationManager authenticationManager,
JWTService jwtService) {
this.userRepository = userRepository;
this.passwordEncoder = passwordEncoder;
this.authenticationManager = authenticationManager;
this.jwtService = jwtService;
}

@Override
public SignupRequestDto signUp(SignupRequestDto signupRequestDto) {
User user = UserMapper.mapper(signupRequestDto);
String password = passwordEncoder.encode(user.getPassword());
user.setPassword(password);
User userRegister = userRepository.save(user);
return UserMapper.mapper(userRegister);
}

@Override
public JwtAuthenticationResponseDto signin(SigninRequestDto signinRequestDto) {
authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(signinRequestDto.getEmail(),
signinRequestDto.getPassword()));

var user = userRepository.findByEmail(signinRequestDto.getEmail()).orElseThrow(
() -> new IllegalArgumentException("invalid user email or password"));
var jwt = jwtService.generateToken(user);
var refreshToken = jwtService.generateRefreshToken(new HashMap(), user);
JwtAuthenticationResponseDto jwtAuthenticationResponseDto = new JwtAuthenticationResponseDto();
jwtAuthenticationResponseDto.setToken(jwt);
jwtAuthenticationResponseDto.setRefreshToken(refreshToken);
return jwtAuthenticationResponseDto;
}

@Override
public JwtAuthenticationResponseDto refreshToken(RefreshTokenRequestDto refreshTokenRequestDto) {
String userEmail = jwtService.extractUserName(refreshTokenRequestDto.getToken());
User user = userRepository.findByEmail(userEmail).orElseThrow();
if (jwtService.isTokenValid(refreshTokenRequestDto.getToken(), user)) {
var jwt = jwtService.generateToken(user);
JwtAuthenticationResponseDto jwtAuthenticationResponseDto = new JwtAuthenticationResponseDto();
jwtAuthenticationResponseDto.setToken(jwt);
jwtAuthenticationResponseDto.setRefreshToken(refreshTokenRequestDto.getToken());
return jwtAuthenticationResponseDto;
}
return null;
}
}

**JWTServiceImpl **

import com.sherwin.dev.springsecurity.repository.UserRepository;
import com.sherwin.dev.springsecurity.service.JWTService;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.security.Keys;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Service;

import java.security.Key;
import java.util.Date;
import java.util.Map;
import java.util.function.Function;

@Service
public class JWTServiceImpl implements JWTService {
private final UserRepository userRepository;

public JWTServiceImpl(UserRepository userRepository) {
this.userRepository = userRepository;
}

@Override
public String generateToken(UserDetails userDetails) {
return Jwts.builder().setSubject(userDetails.getUsername())
.setIssuedAt(new Date(System.currentTimeMillis())).setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 24))
.signWith(getSignKey(), SignatureAlgorithm.HS256)
.compact();
}

@Override
public String generateRefreshToken(Map extractClaims, UserDetails userDetails) {
return Jwts.builder().setClaims(extractClaims).setSubject(userDetails.getUsername())
.setIssuedAt(new Date(System.currentTimeMillis())).setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 24))
.signWith(getSignKey(), SignatureAlgorithm.HS256)
.compact();
}

// extract username from the token
@Override
public String extractUserName(String token) {
return extractClaim(token, Claims::getSubject);
}

private T extractClaim(String token, Function claimsResolver) {
final Claims claims = extractAllClaim(token);
return claimsResolver.apply(claims);
}

private Claims extractAllClaim(String token) {
return Jwts.parserBuilder().setSigningKey(getSignKey()).build().parseClaimsJws(token).getBody();
}

private Key getSignKey() {
byte[] key = Decoders.BASE64.decode("413F4428472B4B6250655368566D5970337336763979244226452948404D6351");
return Keys.hmacShaKeyFor(key);
}

@Override
public boolean isTokenValid(String token, UserDetails userDetails) {
final String username = extractUserName(token);
return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
}

private boolean isTokenExpired(String token) {
return extractClaim(token, Claims::getExpiration).before(new Date());
}
}


Подробнее здесь: https://stackoverflow.com/questions/784 ... en-request