如果没有使用OAuth2 Spring安全在报头中传递令牌,为什么筛选器链还会继续? [英] Why does filter chain continue if no token is passed in header with OAuth2 spring security?
本文介绍了如果没有使用OAuth2 Spring安全在报头中传递令牌,为什么筛选器链还会继续?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试使用具有Spring安全性的OAuth2,配置XML如下:
<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="oauthUserAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
<anonymous enabled="false"/>
<http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER"/>
</http>
<http auto-config="true" pattern="/services/rest/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false"/>
<intercept-url pattern="/services/rest/**"/>
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>
我已成功生成令牌。现在,在尝试访问受保护的资源时,如果我在标头中传递令牌,则一切正常。 但如果我不传递令牌,安全就会被绕过。
我检查了OAuth2AuthationProcessingFilter的代码:
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
ServletException {
final boolean debug = logger.isDebugEnabled();
final HttpServletRequest request = (HttpServletRequest) req;
final HttpServletResponse response = (HttpServletResponse) res;
try {
Authentication authentication = tokenExtractor.extract(request);
if (authentication == null) { // If token is null, do nothing
if (debug) {
logger.debug("No token in request, will continue chain.");
}
}
else {
request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE, authentication.getPrincipal());
if (authentication instanceof AbstractAuthenticationToken) {
AbstractAuthenticationToken needsDetails = (AbstractAuthenticationToken) authentication;
needsDetails.setDetails(authenticationDetailsSource.buildDetails(request));
}
Authentication authResult = authenticationManager.authenticate(authentication);
if (debug) {
logger.debug("Authentication success: " + authResult);
}
SecurityContextHolder.getContext().setAuthentication(authResult);
}
}
catch (OAuth2Exception failed) {
SecurityContextHolder.clearContext();
if (debug) {
logger.debug("Authentication request failed: " + failed);
}
authenticationEntryPoint.commence(request, response,
new InsufficientAuthenticationException(failed.getMessage(), failed));
return;
}
chain.doFilter(request, response);
}
如果令牌不存在,为什么此筛选器会跳过安全性?我是否应该添加其他筛选器来处理此情况?
推荐答案
尝试
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
这篇关于如果没有使用OAuth2 Spring安全在报头中传递令牌,为什么筛选器链还会继续?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文