As access token expires, client sends GET request with /refresh endpoint,but it ended with 401-unauthorized.
I have configured this request in webConfig. so, it does not need authorization. I have passed access token in header of /refresh request.
Note: If I don't pass token in header of /refresh request, It worked fine.
JwtAuthenticationController.java:
@RestController
public class JwtAuthenticationController {
@RequestMapping(value = "/refresh", method = RequestMethod.GET)
public ResponseEntity<?> refreshAuthenticationToken(HttpServletRequest request) {
final String token = request.getHeader("Authorization");
final String username = jwtUtils.getUsernameFromToken(token);
final UserDetails user = userDetailsService.loadUserByUsername(username);
if ((user.getUsername()).equals(username) && jwtUtils.isTokenExpired(token)) {
final String refreshedToken = jwtUtils.refreshToken(token);
return ResponseEntity.ok(new JwtAuthenticationResponse(refreshedToken));
}
else {
return ResponseEntity.badRequest().body(null);
}
}
}
WebSecurityConfig.java
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf().disable()
.exceptionHandling()
.antMatchers("/register","/refresh")
.permitAll()
.anyRequest().authenticated();
httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
httpSecurity.headers().cacheControl().disable();
}
}
JwtAuthenticationFilter.java
@Component
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
String authToken = request.getHeader(AUTHORIZATION_HEADER);
if (authToken != null && authToken.startsWith(BEARER_PREFIX)) {
try {
authToken = authToken.substring(BEARER_PREFIX_LENGTH);
username = jwtUtils.getUsernameFromToken(authToken);
}catch (IllegalArgumentException e) {
System.out.println("Unable to get JWT Token");
} catch (ExpiredJwtException e) {
System.out.println("JWT Token has expired");
}
}
else {
logger.warn("JWT Token does not begin with Bearer String");
}
}
JwtUtils.java
private Claims getClaimsFromToken(String token) {
return Jwts.parser()
.setSigningKey(secret)
.requireIssuer(issuer)
.parseClaimsJws(token)
.getBody();
}
I am unable to find out why this happen? What is the solution to get new access token using client sent refresh token.
If I don't pass token in header of /refresh request, It worked fine.
This is probably because of the JwtAuthenticationFilter. I think you should exclude also the /refresh from the check, so:
if (!request.getRequestURI().contains("/refresh") {
if (authToken != null && authToken.startsWith(BEARER_PREFIX)) {
//same logic
}
}
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments