Java Spring内存中的安全身份验证不起作用_Java_Spring Boot_Rest_Spring Security

Java Spring内存中的安全身份验证不起作用

java spring-boot rest spring-security

Java Spring内存中的安全身份验证不起作用,java,spring-boot,rest,spring-security,Java,Spring Boot,Rest,Spring Security,我正在尝试使用带有预定义用户id和密码的spring security来实现内存内身份验证。我使用基本HTTP身份验证，并以“userId:password”的形式将用户id和密码组合作为头发送（为了简单起见，我忽略了上述头的编码）下面是我试图实现SpringSecurity的一个剩余端点 @RequestMapping(value = "/course", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_V

我正在尝试使用带有预定义用户id和密码的spring security来实现内存内身份验证。我使用基本HTTP身份验证，并以“userId:password”的形式将用户id和密码组合作为头发送（为了简单起见，我忽略了上述头的编码）

下面是我试图实现SpringSecurity的一个剩余端点

@RequestMapping(value = "/course", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
 public ResponseEntity<ApiResponse> addCourse(@RequestBody Course course) {
   return new ResponseEntity<ApiResponse>(new ApiResponse(HttpStatus.OK.value(), null), HttpStatus.OK);
 }

下面是我已经配置的websecurity配置文件

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication()
        .withUser("john_doe")
        .password("student_password")
        .authorities("ROLE_STUDENT_USER")
        .and()
        .withUser("jane_doe")
        .password("admin_password")
        .authorities("ROLE_OFFICE_ADMIN");
  }

  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication()
        .withUser("john_doe")
        .password("student_password")
        .authorities("ROLE_STUDENT_USER")
        .and()
        .withUser("jane_doe")
        .password("admin_password")
        .authorities("ROLE_OFFICE_ADMIN");
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.httpBasic()
        .and()
        .authorizeRequests()
        .antMatchers(HttpMethod.POST, "/course")
        .hasAuthority("ROLE_OFFICE_ADMIN")
        .antMatchers(HttpMethod.POST, "/student")
        .hasAnyAuthority("ROLE_OFFICE_ADMIN", "ROLE_STUDENT_USER")
        .antMatchers(HttpMethod.GET, "/**")
        .permitAll()
        .anyRequest()
        .authenticated()
        .and()
        .exceptionHandling()
        .accessDeniedHandler(accessDeniedHandler())
        .authenticationEntryPoint(authenticationEntryPoint());
  }

  @Bean
  RestAccessDeniedHandler accessDeniedHandler() {
    return new RestAccessDeniedHandler();
  }

  @Bean
  RestAuthenticationEntryPoint authenticationEntryPoint() {
    return new RestAuthenticationEntryPoint();
  }
}

AuthenticationEntryPoint实现类

@Component
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {

  @Override
  public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e)
      throws IOException, ServletException {
    ApiResponse response = new ApiResponse(HttpStatus.UNAUTHORIZED.value(),
        "Authentication Failure-The user name and password combination is incorrect");
    OutputStream out = httpServletResponse.getOutputStream();
    ObjectMapper mapper = new ObjectMapper();
    mapper.writeValue(out, response);
    out.flush();
  }


@Component
public class RestAccessDeniedHandler implements AccessDeniedHandler {
  @Override
  public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e)
      throws IOException, ServletException {
    ApiResponse apiResponse = new ApiResponse(HttpStatus.FORBIDDEN.value(),
        "Authorization Failure-This user does not have the sufficient level of access");
    OutputStream out = httpServletResponse.getOutputStream();
    ObjectMapper mapper = new ObjectMapper();
    mapper.writeValue(out, apiResponse);
    out.flush();
  }

AccessDenied处理程序实现类

@Component
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {

  @Override
  public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e)
      throws IOException, ServletException {
    ApiResponse response = new ApiResponse(HttpStatus.UNAUTHORIZED.value(),
        "Authentication Failure-The user name and password combination is incorrect");
    OutputStream out = httpServletResponse.getOutputStream();
    ObjectMapper mapper = new ObjectMapper();
    mapper.writeValue(out, response);
    out.flush();
  }


@Component
public class RestAccessDeniedHandler implements AccessDeniedHandler {
  @Override
  public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e)
      throws IOException, ServletException {
    ApiResponse apiResponse = new ApiResponse(HttpStatus.FORBIDDEN.value(),
        "Authorization Failure-This user does not have the sufficient level of access");
    OutputStream out = httpServletResponse.getOutputStream();
    ObjectMapper mapper = new ObjectMapper();
    mapper.writeValue(out, apiResponse);
    out.flush();
  }

使用的maven依赖项包括：

Spring启动版本-2.2.1.0版本

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
            <version>2.2.1.RELEASE</version>
        </dependency>


org.springframework.boot
弹簧启动安全
2.2.1.发布

我注意到上述配置的问题是，传入请求的身份验证没有完成，即使请求包含正确的/in-correct userId:password头值。

有人能指出我做错了什么吗？

您应该提供一个密码编码器，或者定义bean

@Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

或者在密码前面键入{noop}，如下所示

.withUser("john_doe")
        .password("{noop}student_password")

希望这有帮助