如何在Spring云网关的GlobalFilter中从SecurityContext获取BearTokenAuthentication
Spring Cloud Gateway作为OAuth2ResourceServer,具有以下授权配置:
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(exchanges ->
exchanges
.anyExchange().authenticated()
)
.oauth2ResourceServer(OAuth2ResourceServerSpec::jwt)
return http.build();
}
我有一个全局过滤器,负责在每个有效的身份验证请求中执行一些功能,如下所示:
@Service
public class CustomGlobal implements GlobalFilter {
@Autowired
BearerTokenAuthentication authentication;
public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
// access request headers, and perform some logic
// extract details from the JWT token, and perform some logic
log.info(authentication.getTokenAttributes.get("sub"));
// ^ in the above line there's a NullPointerException, since instance
// BearerTokenAuthentication is not set, or not visible at a GlobalFilter class
return chain.filter(exchange);
}
}
我仍处于学习阶段。任何可能的线索将不胜感激。
共有1个答案
我是这样做的(请注意,您应该将WebFilter更改为GlobalFilter)。
添加到您的pom中
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
<version>5.4.6</version>
</dependency>
然后过滤器应该像
package filter;
import lombok.extern.log4j.Log4j2;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.*;
import org.springframework.util.StringUtils;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
@Log4j2
public class CustomGlobal implements WebFilter {
public static final String HEADER_PREFIX = "Bearer ";
private final ReactiveJwtDecoder jwtDecoder;
public ReactiveJwtDecoder createDecoder(String issuer, String jwkUrl) {
var jwtDecoder = NimbusReactiveJwtDecoder.withJwkSetUri(jwkUrl).build();
jwtDecoder.setJwtValidator(new DelegatingOAuth2TokenValidator<>(
new JwtIssuerValidator(issuer),
new JwtTimestampValidator()));
return jwtDecoder;
}
protected CustomGlobal(String issuer, String jwkUrl) {
this.jwtDecoder = createDecoder(issuer, jwkUrl);
}
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
return Mono
.defer(() -> {
var token = resolveToken(exchange.getRequest());
if (!StringUtils.hasText(token)) {
throw new BadJwtException("Authorisation token is invalid");
}
return jwtDecoder.decode(token);
})
.flatMap(tokenJwt -> {
log.info(tokenJwt.getClaimAsString("sub"));
return chain.filter(exchange);
})
.onErrorResume(err -> handleError(exchange));
}
private Mono<Void> handleError(ServerWebExchange exchange) {
exchange.getResponse().setRawStatusCode(HttpStatus.UNAUTHORIZED.value());
exchange.getResponse().getHeaders().add("Content-Type", "application/json");
return exchange.getResponse().setComplete();
}
private String resolveToken(ServerHttpRequest request) {
String bearerToken = request.getHeaders().getFirst(HttpHeaders.AUTHORIZATION);
if (StringUtils.hasText(bearerToken) && bearerToken.startsWith(HEADER_PREFIX)) {
return bearerToken.substring(7).trim();
}
return "";
}
}
下一步是创建配置
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.reactive.ReactorClientHttpConnector;
@Configuration
public class CustomGlobalConfig {
@Value("${jwt.iss}")
private String issuer;
@Value("${jwt.jwk-uri}")
private String jwkUrl;
@Bean
CustomGlobal createFilterBean() {
return new CustomGlobal(this.issuer, this.jwkUrl);
}
}
-
我正在Spring Boot项目(版本2.2.6)中使用Spring Cloud Gateway和Spring Security。我有一个自定义的预过滤器,它需要在将请求转发给下游服务之前向请求添加头部。Pre过滤器需要读取Spring Security的Authentication对象以获取权限,然后才能添加头部(它需要根据权限进行一些查找)。由于Spring Cloud Gateway是反应式
-
配置文件如下: java keytools生成的密钥库。项目可以正常启动,当我通过网关请求时,错误。消息如下: io。内蒂。处理程序。ssl。NotSslRecordException:不是SSL/TLS记录:474554202f55414d532f75616d737465737420485454502f312e310d0a486f73743a203139322e3136382e302e313a3
-
类似于Spring Cloud Sleuth-获取当前traceId?但在Spring Cloud Gateway GlobalFilter的背景下 我尝试注入TringingContext并获取当前的TracingContext,但当我获取当前的跟踪上下文时,它返回。 我怀疑这是一个问题,我的过滤器没有指定任何。但是,我尝试了HIGHEST_PRECEDENCE和LOWEST_PRECEDENC
-
我有一个带有一些endpoint的anexo API,比如: 如何将Spring Cloud Gateway与这些endpoint一起使用?
-
几天来,他一直试图用Keycloak连接s-c-gateway和s-c-security。我希望位于网关后面的模块不要有keycloak配置。Spring云网关不支持Spring云安全吗?
-
我想从前端应用程序调用POST请求,但是在控制台中我看到: CORS策略阻止从来源“http://localhost:9090/authenticate”访问位于“http://localhost:3000”的XMLHttpRequest:对飞行前请求的响应未通过访问控制检查:请求的资源上没有“access-control-allog-origin”标头。