Java 根据Spring Security Rest API从Android设备进行身份验证
我有一个带有REST-API的SPRING后端。它由用户名和密码保护。当我首先用pc浏览器打开它时,会显示登录屏幕,在添加凭据后,我可以流畅地访问api 当我通过安卓应用程序尝试同样的方法时,每次登录屏幕都会显示我的信息。为了在Android端进行身份验证,我使用了一个RESTAPI请求,默认情况下该请求是可访问的。 内部Android应用程序浏览器是否与存储会话cookie不兼容?每次创建新的HTTP会话时。我用截击来回应请求 spring-security.xmlJava 根据Spring Security Rest API从Android设备进行身份验证,java,android,spring,rest,spring-mvc,Java,Android,Spring,Rest,Spring Mvc,我有一个带有REST-API的SPRING后端。它由用户名和密码保护。当我首先用pc浏览器打开它时,会显示登录屏幕,在添加凭据后,我可以流畅地访问api 当我通过安卓应用程序尝试同样的方法时,每次登录屏幕都会显示我的信息。为了在Android端进行身份验证,我使用了一个RESTAPI请求,默认情况下该请求是可访问的。 内部Android应用程序浏览器是否与存储会话cookie不兼容?每次创建新的HTTP会话时。我用截击来回应请求 spring-security.xml <http
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/api/user/login" access="permitAll" /> <!--IS_AUTHENTICATED_ANONYMOUSLY-->
<intercept-url pattern="/admin/**" access="hasAnyRole('ROLE_ADMIN','ROLE_GROUP_LEADER')" />
<intercept-url pattern="/api/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_GROUP_LEADER')" />
<form-login
login-page="/login"
default-target-url="/admin"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password"
/>
<access-denied-handler error-page="/403" />
<logout logout-success-url="/login?logout" />
</http>
<authentication-manager alias="authManager">
<authentication-provider >
<password-encoder ref="encoder" />
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"select username,password, enabled from user where username=?"
authorities-by-username-query=
"select username, name as role from role r,user u where u.role_id = r.id and username =? " />
</authentication-provider>
</authentication-manager>
Spring安全调试
************************************************************
Request received for POST '/api/user/create':
org.apache.catalina.connector.RequestFacade@36dc8ced
servletPath:/api/user/create
pathInfo:null
headers:
if-modified-since: Sat, 03 Jan 2015 12:35:50 GMT+00:00
content-type: application/json; charset=utf-8
user-agent: Dalvik/1.6.0 (Linux; U; Android 4.0.4; GT-P7100 Build/IMM76D)
host: 192.168.178.36:8088
connection: Keep-Alive
accept-encoding: gzip
content-length: 124
Security filter chain: [
SecurityContextPersistenceFilter
WebAsyncManagerIntegrationFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
2015-01-03 13:53:46 INFO Spring Security Debugger:39 -
************************************************************
New HTTP session created: A430DD754F7F6E466D07B10D1DDCCEF7
Call stack:
at org.springframework.security.web.debug.Logger.info(Logger.java:29)
at org.springframework.security.web.debug.DebugRequestWrapper.getSession(DebugFilter.java:144)
at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:238)
at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:238)
at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:238)
at org.springframework.security.web.savedrequest.HttpSessionRequestCache.saveRequest(HttpSessionRequestCache.java:40)
at org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:184)
at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:168)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:131)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.security.web.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:70)
at org.springframework.security.web.debug.DebugFilter.doFilter(DebugFilter.java:59)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:136)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:74)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1015)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:652)
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1575)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1533)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:722)
************************************************************
2015-01-03 13:53:46 INFO Spring Security Debugger:39 -
************************************************************
Request received for GET '/login':
org.apache.catalina.connector.RequestFacade@36dc8ced
servletPath:/login
pathInfo:null
headers:
if-modified-since: Sat, 03 Jan 2015 12:35:50 GMT+00:00
content-type: application/json; charset=utf-8
user-agent: Dalvik/1.6.0 (Linux; U; Android 4.0.4; GT-P7100 Build/IMM76D)
host: 192.168.178.36:8088
connection: Keep-Alive
accept-encoding: gzip
Security filter chain: [
SecurityContextPersistenceFilter
WebAsyncManagerIntegrationFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
MonitorFilter::WARNING: the monitor filter must be the first filter in the chain.
截击
CookieManager manager = new CookieManager();
CookieHandler.setDefault( manager );
mQueue = Volley.newRequestQueue(context);
我怀疑问题可能是您正在实现自己的自定义身份验证控制器端点,而不是使用完整的spring安全链 根据您的xml配置,在所有请求上仍会调用正常的筛选器链,但只需在控制器中调用authenticate()方法就可以做到这一点,而不会调用其余的身份验证成功处理程序(例如,您实际上不会使用adhoc controller身份验证在响应上设置cookie) 测试这一点最简单的方法就是直接卷曲url,或者使用postman(RESTAPI的chrome插件)之类的工具来测试api身份验证端点,并查看是否在响应上设置了CookeI 如果您可以控制服务器端代码(例如,您可以更改它,而不仅仅是在android应用程序上工作),以下是一些想法:
- 我会避免使用自定义的身份验证端点,并尝试手动实现安全性—spring security在这方面非常擅长
- 假设您不想使用oauth以及API解决方案的复杂性,那么请看一看。这与您采取的方法类似,但对于登录,您只需在android应用程序中嵌入一个web视图,并使用它让用户直接登录到标准的spring安全表单上(因此可以利用spring安全默认行为,例如cookies等),然后在应用程序中,您只需从web响应中获取一个用户令牌,然后将其存储在所有API请求中,作为请求头使用(因此用户不必一直登录移动应用程序)
尝试了你的建议,并使其生效 在我检查了后端是否传输了所需的cookie之后,我调整了volley,以便它存储传输的cookie,并在每次请求之后将其作为令牌重新传输。cookie存储在首选项中
public GsonRequest(...)
.....
if(PreferencesManager.getInstance().getSessionCookie()!=null)
this.headers.put("Cookie", "JSESSIONID="+ PreferencesManager.getInstance().getSessionCookie());
@Override
protected Response<T> parseNetworkResponse(NetworkResponse response) {
String cookie = MyApp.get().checkSessionCookie(response.headers);
PreferencesManager.getInstance().setSessionCookie(cookie);
.....
}
publicgsonrequest(…)
.....
if(PreferencesManager.getInstance().getSessionCookie()!=null)
this.headers.put(“Cookie”、“JSSessionId=“+PreferencesManager.getInstance().getSessionCookie());
@凌驾
受保护的响应parseNetworkResponse(NetworkResponse响应){
字符串cookie=MyApp.get().checkSessionCookie(response.headers);
PreferencesManager.getInstance().setSessionCookie(cookie);
.....
}
如vmirinov所述,进行了滑动修改
public final String checkSessionCookie(Map<String, String> headers) {
if (headers.containsKey(SET_COOKIE_KEY)
&& headers.get(SET_COOKIE_KEY).toLowerCase().contains(SESSION_COOKIE)) {
String cookie = headers.get(SET_COOKIE_KEY);
if (cookie.length() > 0) {
String[] splitCookie = cookie.split(";");
String[] splitSessionId = splitCookie[0].split("=");
cookie = splitSessionId[1];
SharedPreferences.Editor prefEditor = _preferences.edit();
prefEditor.putString(SESSION_COOKIE, cookie);
prefEditor.commit();
return cookie;
}
}
return "";
}
public最终字符串检查sessionokie(映射头){
if(headers.containsKey(SET_COOKIE_KEY)
&&headers.get(SET_COOKIE_KEY).toLowerCase()包含(SESSION_COOKIE)){
字符串cookie=headers.get(设置cookie\u键);
如果(cookie.length()>0){
String[]splitCookie=cookie.split(;);
字符串[]splitSessionId=splitCookie[0]。拆分(“”);
cookie=splitSessionId[1];
SharedReferences.Editor prefEditor=_preferences.edit();
putString(会话_COOKIE,COOKIE);
提交();
返回cookie;
}
}
返回“”;
}
我尝试了邮递员插件。该登录在chrome fluendly上使用我编写的代码工作。因此,安全链似乎是正确的。即使我跳过了.authenticate部分,它似乎也能在pc端工作。我会试试你的其他建议。Cookie获取并发回API登录在chrome上工作?(例如,注销/清除浏览器Cookie,然后向rest API发出请求,将您需要的任何凭据传入该API请求?)您如何将登录凭据传入API身份验证?您是否使用用户名/密码将表单发布到API?我遵循您的建议,并尝试使用postmann。我注销/清除浏览器缓存,发出post请求,并得到一个返回cookie的响应。之后,我可以使用api和管理后端。它是一个带有用户名和密码的post请求,发送到api并通过上面的代码进行验证。在使用密码123(内部编码)的示例中。json看起来像{“username”:“…”,“password”:“…”},并返回一个类似“successfull”的字符串和一个类似于A13B1D3300B6B7D48ACC4626966872AE的JSESSIONID作为CookieInterest-我仍然会避免在控制器中使用定制的身份验证方法,但是,如果该控制器仍然在浏览器中正确提供cookie,那么问题一定出在android应用程序中。你看过这个关于HttpStack的问题了吗?所有的设置都正确吗?
public final String checkSessionCookie(Map<String, String> headers) {
if (headers.containsKey(SET_COOKIE_KEY)
&& headers.get(SET_COOKIE_KEY).toLowerCase().contains(SESSION_COOKIE)) {
String cookie = headers.get(SET_COOKIE_KEY);
if (cookie.length() > 0) {
String[] splitCookie = cookie.split(";");
String[] splitSessionId = splitCookie[0].split("=");
cookie = splitSessionId[1];
SharedPreferences.Editor prefEditor = _preferences.edit();
prefEditor.putString(SESSION_COOKIE, cookie);
prefEditor.commit();
return cookie;
}
}
return "";
}