我有一个 android 客户端试图使用 api 休息服务
弹簧安全配置:
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf().disable()
.authorizeRequests().antMatchers("/authenticateAPI").permitAll().
anyRequest().authenticated().and().
exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint)
.and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
从邮递员我得到jwt:
但是......从Android客户端我在按下登录按钮时卡在build()中
public class ApiClient {
public static final String BASE_URL = "http://192.168.0.64:8080/";
private static Retrofit retrofit = null;
public static Retrofit getClient() {
if (retrofit == null) {
Gson gson = new GsonBuilder()
.setLenient()
.create();
retrofit = new Retrofit.Builder()
.baseUrl(BASE_URL)
.addConverterFactory(GsonConverterFactory.create(gson))
.build(); // I GET AN ERROR HERE
}
return retrofit;
}
}
API 日志显示来自JwtFilter类的方法doFilterInternal的“JWT 令牌不以 Bearer 关键字开头”
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
final String requestTokenHeader = request.getHeader("Authorization");
String username = null;
String jwtToken = null;
if (requestTokenHeader != null && requestTokenHeader.startsWith("Bearer ")) {
jwtToken = requestTokenHeader.substring(7);
try {
username = jwtTokenUtil.getUsernameFromToken(jwtToken);
} catch (IllegalArgumentException e) {
System.out.println("Unable to get JWT Token for this user");
} catch (ExpiredJwtException e) {
System.out.println("JWT Token has been expired"); **************HERE***************
}
} else {
logger.warn("JWT Token do not start with Bearer keyword");
}
因为 requestTokenHeader 为空,但是当我进行身份验证时我不需要令牌并且系统要求它。
如果设置为 ".authorizeRequests().antMatchers("/authenticateAPI").permitAll()"。
我认为问题出在春季安全设置中,但我看不到它,请帮助我