thymeleaf extras security 不适用于 spring Security

【问题标题】:thymeleaf extras security doesn't work with spring Securitythymeleaf extras security 不适用于 spring Security
【发布时间】:2021-03-25 13:12:30
【问题描述】:

所以作为初学者,我尝试使用 spring boot 2.2.11、spring security、thymeleaf 和 json web token 创建一个电子商务网站,我的问题是当用户验证模板时,即使我输入 isAnonyms 和IsAuthentificated 我的模板中的百里香标签。

我有两个问题:

1-/ 如何告诉所有控制器用户已经登录?

2-/ 如何将 jwt 令牌从后端传递到前端,以便用户可以提出特定的请求?

这是我的 pom.xml:


<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.2.11.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.example</groupId>
    <artifactId>demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>demo</name>
    <description>Demo project for Spring Boot</description>

    <properties>
        <java.version>1.8</java.version>

    </properties>

    <dependencies>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>

        <!-- https://mvnrepository.com/artifact/org.webjars/bootstrap -->
        <dependency>
            <groupId>org.webjars</groupId>
            <artifactId>webjars-locator</artifactId>
            <version>0.30</version>
        </dependency>
        <dependency>
            <groupId>org.webjars</groupId>
            <artifactId>bootstrap</artifactId>
            <version>4.0.0</version>
        </dependency>
        <dependency>
            <groupId>org.thymeleaf.extras</groupId>
            <artifactId>thymeleaf-extras-springsecurity5</artifactId>

        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
            <version></version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>


        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>org.junit.vintage</groupId>
                    <artifactId>junit-vintage-engine</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt</artifactId>
            <version>0.9.1</version>
        </dependency>
        <dependency>
            <groupId>com.example</groupId>
            <artifactId>demo</artifactId>
            <version>0.0.1-SNAPSHOT</version>
        </dependency>
        <dependency>
            <groupId>org.thymeleaf</groupId>
            <artifactId>thymeleaf</artifactId>
            <version>3.0.11.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.thymeleaf.extras</groupId>
            <artifactId>thymeleaf-extras-springsecurity5</artifactId>
            <version>3.0.4.RELEASE</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

我的 Index.html 中包含 thymeleaf 标签的部分:



                <div class="forms ml-auto">
                    <a th:href="@{/login}" class="btn" sec:authorize="isAnonymous()"><span
                            class="fa fa-user-circle-o"></span> Sign In</a>
                    <a th:href="@{/signup}" class="btn" sec:authorize="isAnonymous()"><span
                            class="fa fa-pencil-square-o"></span> Sign Up</a>
                    <a th:href="@{/account}" class="btn" sec:authorize="isAuthenticated()"><span
                            class="fa fa-pencil-square-o"></span> Account</a>
                    <a th:href="@{/cart}" class="btn"> Cart <span> 0 </span> <i class="fa fa-shopping-cart"></i> </a>
                    <a th:href="@{/logout}" class="btn" sec:authorize="isAuthenticated()"><span
                            class="fa fa-user-circle-o"></span> Logout</a>

                </div>

我的登录控制器:


 @RequestMapping(value = "/login", method = RequestMethod.GET)
    public String login(Model model) {
        model.addAttribute("userDto",new UserDto());
        return "signin";
    }
    @RequestMapping(value = "/login",method = RequestMethod.POST)
    public String login(@ModelAttribute("userDto") @Valid UserDto userDto, BindingResult result , RedirectAttributes ra){
        authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(userDto.getEmail(),userDto.getPassword()));
        final UserDetails userDetails = userDetailsService.loadUserByUsername(userDto.getEmail());
        if (!userDetails.getUsername().equalsIgnoreCase(userDto.getEmail()) ){

            result.rejectValue("email",null,"Wrong Email");
        }

        if (!bCryptPasswordEncoder.matches(userDto.getPassword(),userDetails.getPassword())){
            result.rejectValue("password","null","Wrong Password");
        }
        if (result.hasErrors()){
            ra.addFlashAttribute("userDto",userDto);
            return "signin";
        }
        final String jwt = jwtUtil.generateToken(userDetails);
        System.out.println(jwt);
        return "index";

    }

我的 Spring 安全配置:


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/resources/**", "/static/**", "/public/**").permitAll()
                .antMatchers("/", "/signin/", "/signup","/**").permitAll()
                .antMatchers("/admin/**").hasRole("ADMIN")
                .antMatchers("/user/**")
                .hasAnyRole("USER", "ADMIN")

                .anyRequest().authenticated().and().sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                    .and().formLogin().loginPage("/signin").defaultSuccessUrl("/")
                    .usernameParameter("email").passwordParameter("password")
                    .permitAll()
                    .defaultSuccessUrl("/",true)
                .and().logout().logoutSuccessUrl("/")
                .logoutRequestMatcher(new AntPathRequestMatcher("/home/logout"));


        http.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);


    }

登录前:

img_before_login

登录后的图片:

redirect to index

登录成功并切换到其他页面:

switch page

ps:我会感谢任何解决方案或任何建议。

【问题讨论】:

  • 您的登录有缺陷。这应该是弹簧安全过滤器链的一部分而不是单独的控制器。您没有(正确地)与 Spring Security 交互。所以删除它并让 Spring Security 处理登录(它已经应该通过您配置的 formLogin 来完成。

标签: spring authentication spring-security jwt thymeleaf


【解决方案1】:

您可以通过在@Controller 中将Principal 指定为method argument 来获取用户是否通过身份验证。如果值为null,则请求未通过身份验证。否则,请求通过身份验证。

@GetMapping("/foo")
String foo(Principal principal) {
    boolean isAuthenticated = principal != null;
    ...
}

当认证成功时,您通常会提供 JWT。这是example application

第一步是提供一种对用户进行身份验证的方法。在本例中,我们使用基本身份验证验证用户名/密码。

@Configuration
public class RestConfig extends WebSecurityConfigurerAdapter {

    @Value("${jwt.public.key}")
    RSAPublicKey key;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http.authorizeRequests((authz) -> authz.anyRequest().authenticated())
            .csrf((csrf) -> csrf.ignoringAntMatchers("/token"))
            .httpBasic(Customizer.withDefaults())
            .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
            .sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .exceptionHandling((exceptions) -> exceptions
                .authenticationEntryPoint(new BearerTokenAuthenticationEntryPoint())
                .accessDeniedHandler(new BearerTokenAccessDeniedHandler())
            );
        // @formatter:on
    }

    @Bean
    UserDetailsService users() {
        // @formatter:off
        return new InMemoryUserDetailsManager(
            User.withUsername("user")
                .password("{noop}password")
                .authorities("app")
                .build()
        );
        // @formatter:on
    }

    @Bean
    JwtDecoder jwtDecoder() {
        return NimbusJwtDecoder.withPublicKey(this.key).build();
    }

}

然后在基本身份验证成功后,它到达在响应中产生成功 JWT 的控制器:

@RestController
public class TokenController {

    @Value("${jwt.private.key}")
    RSAPrivateKey key;

    @PostMapping("/token")
    public String token(Authentication authentication) {
        Instant now = Instant.now();
        long expiry = 36000L;
        // @formatter:off
        String scope = authentication.getAuthorities().stream()
                .map(GrantedAuthority::getAuthority)
                .collect(Collectors.joining(" "));
        JWTClaimsSet claims = new JWTClaimsSet.Builder()
                .issuer("self")
                .issueTime(new Date(now.toEpochMilli()))
                .expirationTime(new Date(now.plusSeconds(expiry).toEpochMilli()))
                .subject(authentication.getName())
                .claim("scope", scope)
                .build();
        // @formatter:on
        JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).build();
        SignedJWT jwt = new SignedJWT(header, claims);
        return sign(jwt).serialize();
    }

    SignedJWT sign(SignedJWT jwt) {
        try {
            jwt.sign(new RSASSASigner(this.key));
            return jwt;
        }
        catch (Exception ex) {
            throw new IllegalArgumentException(ex);
        }
    }

}

注意:您没有特别询问,但 Thymeleaf 标记似乎不起作用的可能原因是您处于无状态应用程序中,因此登录后身份验证会立即丢失,因为未创建会话.

【讨论】:

  • 感谢 Rob 的回复,我理解您回复的第一部分。对于第二部分,我有一个类名 jwt,其中包含密钥和所有其他方法,如提取声明、令牌过期、创建令牌。我也有一个类 jwtFilter ,它包含方法 doFilterInternal 的覆盖。所以我的问题是有必要创建类 RestConfig 还是只为令牌创建控制器(如果是的话,我应该在我的 Spring 安全配置类中添加什么?)
猜你喜欢
  • 2015-04-20
  • 2021-01-17
  • 2017-06-09
  • 2015-11-03
  • 2015-10-02
  • 1970-01-01
  • 2014-11-29
  • 2020-12-02
  • 2016-04-16
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode