InsufficientAuthenticationException:访问此资源需要完全身份验证

Posted

技术标签:

【中文标题】InsufficientAuthenticationException:访问此资源需要完全身份验证【英文标题】:InsufficientAuthenticationException: Full authentication is required to access this resource 【发布时间】:2020-03-30 09:36:03 【问题描述】:

所以我有一个相对简单的 JWT 身份验证,并设置了 Spring Boot 安全性。这包括 3 个过滤器(Jwt、Cors、JwtExceptionHandler)和一个注册到 HttpSecurity 的异常处理程序。 由于调试原因,我将JwtRequestFilterdoFilterInternal 方法设为空。仅此一点就没有问题。但是,如果同一过滤器中的shouldNotFilter 方法返回true(这意味着将跳过doFilterInternal)我收到指定的异常:

org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource
at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:189)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:140)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at at.techsoft.cocos.security.ExceptionHandlerFilter.doFilterInternal(ExceptionHandlerFilter.java:20)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

这是我的WebSecurityConfig 课程:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter 
private static final Logger log = LoggerFactory.getLogger(WebSecurityConfig.class);

@Autowired
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;

@Autowired
private UserDetailsService jwtUserDetailsService;

@Autowired
private ExceptionHandlerFilter exceptionHandlerFilter;

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception 
    auth.userDetailsService(jwtUserDetailsService).passwordEncoder(passwordEncoder());


@Bean
public PasswordEncoder passwordEncoder() 
    return new BCryptPasswordEncoder();


@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception 
    return super.authenticationManagerBean();




@Override
protected void configure(HttpSecurity httpSecurity) throws Exception 
    httpSecurity.cors().and().csrf().disable();
    httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    httpSecurity.exceptionHandling()
            .authenticationEntryPoint(jwtAuthenticationEntryPoint);

    httpSecurity.headers().frameOptions().disable();

    httpSecurity.authorizeRequests()
            .antMatchers(Path.ROOT + "/authentication/**", "/*","/share/**", "/css/**", "/img/**", "/js/**", "/console/**").permitAll()
            // Disallow everything else..
            .antMatchers(HttpMethod.OPTIONS).permitAll()
            .anyRequest().authenticated();

    httpSecurity.addFilterBefore(new CorsFilterConfig(), ChannelProcessingFilter.class);

    httpSecurity.addFilterBefore(new JwtRequestFilter(new StandardJwtValidator(tokenUtil, userRepository, jwtUserDetailsService)), UsernamePasswordAuthenticationFilter.class);

    httpSecurity
            .addFilterBefore(exceptionHandlerFilter, JwtRequestFilter.class);




@Override
public void configure(WebSecurity web) throws Exception 
    web.ignoring()
            .antMatchers(Path.ROOT + "/authentication/",  "/*", "/css/**", "/img/**", "/js/**", "/console/**")
            .antMatchers(HttpMethod.OPTIONS, "/**");


这是有问题的 JwtRequestFilter:

public class JwtRequestFilter extends OncePerRequestFilter 

private Logger log = LoggerFactory.getLogger(JwtRequestFilter.class);

final
IJwtValidator validator;

public JwtRequestFilter(IJwtValidator validator) 
    this.validator = validator;


@Override
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
        throws ServletException, IOException             

  //SecurityContextHolder.getContext().setAuthentication(validator.getAuthenticatioNToken(request));




@Override
protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException 
    return true;


当谷歌搜索异常时,几乎所有的答案都包括 oauth2 身份验证,但我不使用 oauth2。

我应该补充一点,这种特殊情况永远不会发生,但我觉得有一些潜在的问题正在系统的其他部分产生错误。

编辑: 根据要求,我将添加 application.properties:

jwt.secret=javainuse
logging.level.at=DEBUG
logging.level.org.springframework.web=DEBUG
spring.jpa.hibernate.ddl-auto= create-drop
spring.jpa.open-in-view=true #i know this shouldn't be used

#database location
#left out for post
# H2
spring.h2.console.enabled=true
spring.h2.console.path=/h2/
spring.datasource.url=#left out again

请求头:

> GET /api/v1/groups/ HTTP/1.1
> Host: localhost:8080
> User-Agent: insomnia/7.0.5
> Cookie: JSESSIONID=199D19CCD05968D3E8CF0C97A1DE2CD5
> Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJ0c2FkbWluIiwiZXhwIjoxNTc1NTY0MjcxLCJpYXQiOjE1NzU1NDYyNzF9.dCXO2LFaZy8LTFRCA14gHAhA1kUUSy6pCZ7Joad2z1y1G50PSVC2mPz56odA5LmIHOxhjnZrrxAbGyuX2NWgWQ
> Accept: */*

【问题讨论】:

【参考方案1】:

你可以参考下面提到的文章,它可能会有所帮助

Spring Boot: Full authentication is required to access this resource

secure-your-spring-restful-apis-with-jwt-a-real-world-example

在你的 spring-boot 项目中,如果你有 application.properties 文件或 application.yml 文件也可以共享。 是服务器到服务器的身份验证还是客户端到服务器? 请同时分享请求标头详细信息

【讨论】:

【参考方案2】:

对于在我之后寻找解决方案的任何人: 这是doFilterInternal 方法中的一行代码。最后我添加了

chain.doFilter(request, response);

这为我解决了问题。

【讨论】:

以上是关于InsufficientAuthenticationException:访问此资源需要完全身份验证的主要内容,如果未能解决你的问题,请参考以下文章