Java Spring内存中的安全身份验证不起作用
我正在尝试使用带有预定义用户id和密码的spring security来实现内存内身份验证。我使用基本HTTP身份验证,并以“userId:password”的形式将用户id和密码组合作为头发送(为了简单起见,我忽略了上述头的编码) 下面是我试图实现SpringSecurity的一个剩余端点Java Spring内存中的安全身份验证不起作用,java,spring-boot,rest,spring-security,Java,Spring Boot,Rest,Spring Security,我正在尝试使用带有预定义用户id和密码的spring security来实现内存内身份验证。我使用基本HTTP身份验证,并以“userId:password”的形式将用户id和密码组合作为头发送(为了简单起见,我忽略了上述头的编码) 下面是我试图实现SpringSecurity的一个剩余端点 @RequestMapping(value = "/course", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_V
@RequestMapping(value = "/course", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
public ResponseEntity<ApiResponse> addCourse(@RequestBody Course course) {
return new ResponseEntity<ApiResponse>(new ApiResponse(HttpStatus.OK.value(), null), HttpStatus.OK);
}
下面是我已经配置的websecurity配置文件
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("john_doe")
.password("student_password")
.authorities("ROLE_STUDENT_USER")
.and()
.withUser("jane_doe")
.password("admin_password")
.authorities("ROLE_OFFICE_ADMIN");
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("john_doe")
.password("student_password")
.authorities("ROLE_STUDENT_USER")
.and()
.withUser("jane_doe")
.password("admin_password")
.authorities("ROLE_OFFICE_ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/course")
.hasAuthority("ROLE_OFFICE_ADMIN")
.antMatchers(HttpMethod.POST, "/student")
.hasAnyAuthority("ROLE_OFFICE_ADMIN", "ROLE_STUDENT_USER")
.antMatchers(HttpMethod.GET, "/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.exceptionHandling()
.accessDeniedHandler(accessDeniedHandler())
.authenticationEntryPoint(authenticationEntryPoint());
}
@Bean
RestAccessDeniedHandler accessDeniedHandler() {
return new RestAccessDeniedHandler();
}
@Bean
RestAuthenticationEntryPoint authenticationEntryPoint() {
return new RestAuthenticationEntryPoint();
}
}
AuthenticationEntryPoint实现类
@Component
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e)
throws IOException, ServletException {
ApiResponse response = new ApiResponse(HttpStatus.UNAUTHORIZED.value(),
"Authentication Failure-The user name and password combination is incorrect");
OutputStream out = httpServletResponse.getOutputStream();
ObjectMapper mapper = new ObjectMapper();
mapper.writeValue(out, response);
out.flush();
}
@Component
public class RestAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e)
throws IOException, ServletException {
ApiResponse apiResponse = new ApiResponse(HttpStatus.FORBIDDEN.value(),
"Authorization Failure-This user does not have the sufficient level of access");
OutputStream out = httpServletResponse.getOutputStream();
ObjectMapper mapper = new ObjectMapper();
mapper.writeValue(out, apiResponse);
out.flush();
}
AccessDenied处理程序实现类
@Component
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e)
throws IOException, ServletException {
ApiResponse response = new ApiResponse(HttpStatus.UNAUTHORIZED.value(),
"Authentication Failure-The user name and password combination is incorrect");
OutputStream out = httpServletResponse.getOutputStream();
ObjectMapper mapper = new ObjectMapper();
mapper.writeValue(out, response);
out.flush();
}
@Component
public class RestAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e)
throws IOException, ServletException {
ApiResponse apiResponse = new ApiResponse(HttpStatus.FORBIDDEN.value(),
"Authorization Failure-This user does not have the sufficient level of access");
OutputStream out = httpServletResponse.getOutputStream();
ObjectMapper mapper = new ObjectMapper();
mapper.writeValue(out, apiResponse);
out.flush();
}
使用的maven依赖项包括:
Spring启动版本-2.2.1.0版本
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.2.1.RELEASE</version>
</dependency>
org.springframework.boot
弹簧启动安全
2.2.1.发布
我注意到上述配置的问题是,传入请求的身份验证没有完成,即使请求包含正确的/in-correct userId:password头值。
有人能指出我做错了什么吗?您应该提供一个密码编码器,或者定义bean
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
或者在密码前面键入{noop},如下所示
.withUser("john_doe")
.password("{noop}student_password")
希望这有帮助