Entrar Ainda não tem acesso?
5
respostas

Meu código ainda continua com erro 403 Forbidden.

Referente ao curso Spring Boot 3: desenvolva uma API Rest em Java

por Brendo da Silva Sousa
| 73.7k xp | 3 posts
Encarregado de operações

Realizei algumas alterações para que conseguisse utilizar o banco h2 porém fico com erro forbidden e não é gerado nenhum erro no console

@Configuration
@EnableWebSecurity
public class SecurityConfigurations {
    @Autowired
    private SecurityFilter securityFilter;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http.csrf(
                csrf -> csrf.ignoringRequestMatchers(AntPathRequestMatcher.antMatcher("/h2-console/**")))
                .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests(req -> {
                    req.requestMatchers(HttpMethod.POST, "/login").permitAll();
                    req.requestMatchers(AntPathRequestMatcher.antMatcher("/h2-console/**")).permitAll();
                    req.anyRequest().authenticated();
                })
                .headers(headers -> headers.frameOptions().disable())
                .addFilterBefore(securityFilter , UsernamePasswordAuthenticationFilter.class)
                .build();
    }
    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration configuration) throws Exception{
        return configuration.getAuthenticationManager();
    }

    @Bean
    public PasswordEncoder passwordEncoder () {
        return new BCryptPasswordEncoder();
    }
}

@Component
public class SecurityFilter extends OncePerRequestFilter {

    @Autowired
    private TokenService tokenService;
    @Autowired
    private UserRepository repository;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        var tokenJWT = recuperarToken(request);

        if (tokenJWT != null) {
            var subject = tokenService.getSubject(tokenJWT);
            var usuario = repository.findByLogin(subject);

            var authentication = new UsernamePasswordAuthenticationToken(usuario, null, usuario.getAuthorities());
            SecurityContextHolder.getContext().setAuthentication(authentication);
        }

        filterChain.doFilter(request, response);
    }

    private String recuperarToken(HttpServletRequest request) {
        var authorization = request.getHeader("Authorization");
        if (authorization != null ) System.out.println(authorization);
        return null;
    }
}

@RestController
@RequestMapping("/login")
public class AuthenticationController {

    @Autowired
    private AuthenticationManager manager;
    @Autowired
    private TokenService tokenService;

    @PostMapping
    public ResponseEntity<DadosToken> login (@RequestBody @Valid AuthenticationDTO dados) {
        var authenticationToken = new UsernamePasswordAuthenticationToken(dados.login(), dados.password());
        var authentication = manager.authenticate(authenticationToken);

        var tokenJWT = tokenService.token((User) authentication.getPrincipal());

        return ResponseEntity.ok(new DadosToken(tokenJWT));
    }
}
5 respostas
por Rodrigo da Silva Ferreira Caneppele
| 5056k xp | 8861 posts
Instrutor Instrutor

Oi Brendo!

Seu método recuperarToken está apenas fazendo um Syste.out e não devolvendo o token do header. Pode ser esse o problema.

por Brendo da Silva Sousa
| 73.7k xp | 3 posts
Encarregado de operações

Olá na verdade esse System.out era só para ver se o token estava chegando, mais corrigir alterei para chamada do método replace para que tirasse o Bearer da String, porém ainda continua apresentando o erro 403 Forbidden. E não da nenhum erro no console

por Rodrigo da Silva Ferreira Caneppele
| 5056k xp | 8861 posts
Instrutor Instrutor

Manda aqui como está ocódigo completo

por Rodrigo da Silva Ferreira Caneppele
| 5056k xp | 8861 posts
Instrutor Instrutor

E também da classe TokenService

por Brendo da Silva Sousa
| 73.7k xp | 3 posts
Encarregado de operações 
@RestController
@RequestMapping("/login")
public class AuthenticationController {

    @Autowired
    private AuthenticationManager manager;
    @Autowired
    private TokenService tokenService;

    @PostMapping
    public ResponseEntity<DadosToken> login (@RequestBody @Valid AuthenticationDTO dados) {
        var authenticationToken = new UsernamePasswordAuthenticationToken(dados.login(), dados.password());
        var authentication = manager.authenticate(authenticationToken);

        var tokenJWT = tokenService.token((User) authentication.getPrincipal());

        return ResponseEntity.ok(new DadosToken(tokenJWT));
    }
}

@Configuration
@EnableWebSecurity
public class SecurityConfigurations {
    @Autowired
    private SecurityFilter securityFilter;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http.csrf(
                csrf -> csrf.ignoringRequestMatchers(AntPathRequestMatcher.antMatcher("/h2-console/**")))
                .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests(req -> {
                    req.requestMatchers(HttpMethod.POST, "/login").permitAll();
                    req.requestMatchers(AntPathRequestMatcher.antMatcher("/h2-console/**")).permitAll();
                    req.anyRequest().authenticated();
                })
                .headers(headers -> headers.frameOptions().disable())
                .addFilterBefore(securityFilter , UsernamePasswordAuthenticationFilter.class)
                .build();
    }
    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration configuration) throws Exception{
        return configuration.getAuthenticationManager();
    }

    @Bean
    public PasswordEncoder passwordEncoder () {
        return new BCryptPasswordEncoder();
    }
}
@Component
public class SecurityFilter extends OncePerRequestFilter {

    @Autowired
    private TokenService tokenService;
    @Autowired
    private UserRepository repository;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        var tokenJWT = recuperarToken(request);

        if (tokenJWT != null) {
            var subject = tokenService.getSubject(tokenJWT);
            var usuario = repository.findByLogin(subject);

            var authentication = new UsernamePasswordAuthenticationToken(usuario, null, usuario.getAuthorities());
            SecurityContextHolder.getContext().setAuthentication(authentication);
        }

        filterChain.doFilter(request, response);
    }

    private String recuperarToken(HttpServletRequest request) {
        var authorizationHeader = request.getHeader("Authorization");
        if (authorizationHeader != null) {
            return authorizationHeader.replace("Bearer ", "");
        }

        return null;
    }
}

@Service
public class TokenService {
    public String token(User user) {
        try {
            Algorithm algorithm = Algorithm.HMAC256("1234567");
            return JWT.create()
                    .withIssuer("api Voll.med")
                    .withSubject(user.getLogin())
                    .withExpiresAt(dataExpicao())
                    .sign(algorithm);
        } catch (JWTCreationException exception){
           throw new RuntimeException("Erro na geração de token");
        }
    }

    public String getSubject(String token) {
       try {
           Algorithm algorithm = Algorithm.HMAC256("1234567");
           return JWT.require(algorithm)
                   .withIssuer("api Voll.med")
                   .build()
                   .verify(token)
                   .getSubject();
       } catch (JWTVerificationException ex) {
           throw new RuntimeException("Token invalido");
       }


    }

    private Instant dataExpicao() {
        return LocalDateTime.now().plusHours(2).toInstant(ZoneOffset.of("-03:00"));
    }
}
@Service
public class AuthenticationService implements UserDetailsService {

    @Autowired
    private UserRepository repository;
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

        return repository.findByLogin(username);
    }
}