InsufficientAuthenticationException:访问此资源需要完全身份验证
Posted
技术标签:
【中文标题】InsufficientAuthenticationException:访问此资源需要完全身份验证【英文标题】:InsufficientAuthenticationException: Full authentication is required to access this resource 【发布时间】:2020-03-30 09:36:03 【问题描述】:所以我有一个相对简单的 JWT 身份验证,并设置了 Spring Boot 安全性。这包括 3 个过滤器(Jwt、Cors、JwtExceptionHandler)和一个注册到 HttpSecurity 的异常处理程序。
由于调试原因,我将JwtRequestFilter
的doFilterInternal
方法设为空。仅此一点就没有问题。但是,如果同一过滤器中的shouldNotFilter
方法返回true
(这意味着将跳过doFilterInternal
)我收到指定的异常:
org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource
at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:189)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:140)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at at.techsoft.cocos.security.ExceptionHandlerFilter.doFilterInternal(ExceptionHandlerFilter.java:20)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
这是我的WebSecurityConfig
课程:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
private static final Logger log = LoggerFactory.getLogger(WebSecurityConfig.class);
@Autowired
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
@Autowired
private UserDetailsService jwtUserDetailsService;
@Autowired
private ExceptionHandlerFilter exceptionHandlerFilter;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
auth.userDetailsService(jwtUserDetailsService).passwordEncoder(passwordEncoder());
@Bean
public PasswordEncoder passwordEncoder()
return new BCryptPasswordEncoder();
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception
return super.authenticationManagerBean();
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception
httpSecurity.cors().and().csrf().disable();
httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
httpSecurity.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationEntryPoint);
httpSecurity.headers().frameOptions().disable();
httpSecurity.authorizeRequests()
.antMatchers(Path.ROOT + "/authentication/**", "/*","/share/**", "/css/**", "/img/**", "/js/**", "/console/**").permitAll()
// Disallow everything else..
.antMatchers(HttpMethod.OPTIONS).permitAll()
.anyRequest().authenticated();
httpSecurity.addFilterBefore(new CorsFilterConfig(), ChannelProcessingFilter.class);
httpSecurity.addFilterBefore(new JwtRequestFilter(new StandardJwtValidator(tokenUtil, userRepository, jwtUserDetailsService)), UsernamePasswordAuthenticationFilter.class);
httpSecurity
.addFilterBefore(exceptionHandlerFilter, JwtRequestFilter.class);
@Override
public void configure(WebSecurity web) throws Exception
web.ignoring()
.antMatchers(Path.ROOT + "/authentication/", "/*", "/css/**", "/img/**", "/js/**", "/console/**")
.antMatchers(HttpMethod.OPTIONS, "/**");
这是有问题的 JwtRequestFilter:
public class JwtRequestFilter extends OncePerRequestFilter
private Logger log = LoggerFactory.getLogger(JwtRequestFilter.class);
final
IJwtValidator validator;
public JwtRequestFilter(IJwtValidator validator)
this.validator = validator;
@Override
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException
//SecurityContextHolder.getContext().setAuthentication(validator.getAuthenticatioNToken(request));
@Override
protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException
return true;
当谷歌搜索异常时,几乎所有的答案都包括 oauth2 身份验证,但我不使用 oauth2。
我应该补充一点,这种特殊情况永远不会发生,但我觉得有一些潜在的问题正在系统的其他部分产生错误。
编辑: 根据要求,我将添加 application.properties:
jwt.secret=javainuse
logging.level.at=DEBUG
logging.level.org.springframework.web=DEBUG
spring.jpa.hibernate.ddl-auto= create-drop
spring.jpa.open-in-view=true #i know this shouldn't be used
#database location
#left out for post
# H2
spring.h2.console.enabled=true
spring.h2.console.path=/h2/
spring.datasource.url=#left out again
请求头:
> GET /api/v1/groups/ HTTP/1.1
> Host: localhost:8080
> User-Agent: insomnia/7.0.5
> Cookie: JSESSIONID=199D19CCD05968D3E8CF0C97A1DE2CD5
> Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJ0c2FkbWluIiwiZXhwIjoxNTc1NTY0MjcxLCJpYXQiOjE1NzU1NDYyNzF9.dCXO2LFaZy8LTFRCA14gHAhA1kUUSy6pCZ7Joad2z1y1G50PSVC2mPz56odA5LmIHOxhjnZrrxAbGyuX2NWgWQ
> Accept: */*
【问题讨论】:
【参考方案1】:你可以参考下面提到的文章,它可能会有所帮助
Spring Boot: Full authentication is required to access this resource
secure-your-spring-restful-apis-with-jwt-a-real-world-example
在你的 spring-boot 项目中,如果你有 application.properties 文件或 application.yml 文件也可以共享。 是服务器到服务器的身份验证还是客户端到服务器? 请同时分享请求标头详细信息
【讨论】:
【参考方案2】:对于在我之后寻找解决方案的任何人:
这是doFilterInternal
方法中的一行代码。最后我添加了
chain.doFilter(request, response);
这为我解决了问题。
【讨论】:
以上是关于InsufficientAuthenticationException:访问此资源需要完全身份验证的主要内容,如果未能解决你的问题,请参考以下文章