I have been struggling since past 2-3 weeks on this and asked for help in this post earlier, but no help yet. I tried looking into other examples and answers in stackoverflow and finally able to proceed a couple of steps. but now again another obstacle in my way. Really need your help...
fyi: I am completely changing the description of this questions as I am able to figure out what I asked before.
Problem: 1) When I call a GET request without passing Token in header, I am still getting response from rest service
2) How can I customize the response when there is a Bad request(404), e.g. invalid Token or No Token provided or No access
What I have done: 1) I am able to authenticate the user successfully by calling localhost:8080/token and by passing username and password. If I pass wrong credentials it throws error.
What I have observed:
1) If I do not call localhost:8080/token at first but calling /index, then I am getting error
{
"timestamp": 1541597538738,
"status": 401,
"error": "Unauthorized",
"exception": "org.springframework.security.access.AccessDeniedException",
"message": "UNAUTHARIZED",
"path": "/index"
}
2) If I call /token at first and then I call /index and the pass WRONG token, then I am getting error
3) If I call /token at first and then I call /index and the pass correct token, but the method has different Authority, then I am getting the same error as above(#2)
4) As described above in Problem: i.e. when I call /index and do NOT pass token, then it returns good response. - This is the main problem I want to resolve and need your help.
The entire code is in github. FYI: If you want to run the code either you have to change the LDAP url/userDn and password or you can use an XYZ.ldif file. The LDIF in my code is not the correct one, but you can change and test it.
I think the problem in here, but I don't know how to resolve it.
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Autowired
private JwtTokenProvider tokenProvider;
private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class);
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
String jwt = getJwtFromRequest(request);
if (StringUtils.hasText(jwt) && tokenProvider.validateToken(jwt)) {
UserDetails userDetails = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
filterChain.doFilter(request, response);
}
private String getJwtFromRequest(HttpServletRequest request) {
String bearerToken = request.getHeader("Authorisation");
if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Basic ")) {
return bearerToken.substring(6, bearerToken.length());
}
return null;
}
}
Thanks in advance!
来源:https://stackoverflow.com/questions/53090739/spring-boot-jwt-security-getting-to-response-even-without-passing-token