Spring Boot JWT security - getting to response eve

2019-01-29 09:41发布

I have been struggling since past 2-3 weeks on this and asked for help in this post earlier, but no help yet. I tried looking into other examples and answers in stackoverflow and finally able to proceed a couple of steps. but now again another obstacle in my way. Really need your help...

fyi: I am completely changing the description of this questions as I am able to figure out what I asked before.

Problem: 1) When I call a GET request without passing Token in header, I am still getting response from rest service

2) How can I customize the response when there is a Bad request(404), e.g. invalid Token or No Token provided or No access

What I have done: 1) I am able to authenticate the user successfully by calling localhost:8080/token and by passing username and password. If I pass wrong credentials it throws error.

What I have observed:

1) If I do not call localhost:8080/token at first but calling /index, then I am getting error

{
    "timestamp": 1541597538738,
    "status": 401,
    "error": "Unauthorized",
    "exception": "org.springframework.security.access.AccessDeniedException",
    "message": "UNAUTHARIZED",
    "path": "/index"
}

2) If I call /token at first and then I call /index and the pass WRONG token, then I am getting error enter image description here 3) If I call /token at first and then I call /index and the pass correct token, but the method has different Authority, then I am getting the same error as above(#2)

4) As described above in Problem: i.e. when I call /index and do NOT pass token, then it returns good response. - This is the main problem I want to resolve and need your help. enter image description here

The entire code is in github. FYI: If you want to run the code either you have to change the LDAP url/userDn and password or you can use an XYZ.ldif file. The LDIF in my code is not the correct one, but you can change and test it.

I think the problem in here, but I don't know how to resolve it.

public class JwtAuthenticationFilter extends OncePerRequestFilter {

    @Autowired
    private JwtTokenProvider tokenProvider;

    private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class);

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        String jwt = getJwtFromRequest(request);

        if (StringUtils.hasText(jwt) && tokenProvider.validateToken(jwt)) {
            UserDetails userDetails = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
            UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
            authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));

            SecurityContextHolder.getContext().setAuthentication(authentication);
        }
        filterChain.doFilter(request, response);
    }

    private String getJwtFromRequest(HttpServletRequest request) {
        String bearerToken = request.getHeader("Authorisation");
        if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Basic ")) {
            return bearerToken.substring(6, bearerToken.length());
        }
        return null;
    }
}

Thanks in advance!

0条回答
登录 后发表回答