Fatal编程技术网
  • java/
  • 使用javaconfig使用Spring安全性对身份验证进行摘要

使用javaconfig使用Spring安全性对身份验证进行摘要

java spring-security

使用javaconfig使用Spring安全性对身份验证进行摘要,java,spring-security,digest-authentication,Java,Spring Security,Digest Authentication,因此,在尝试在Java需求中翻译xml“需求”之后,我尝试创建一个摘要身份验证spring 假设我们在文档中有类似的xml: <bean id="digestFilter" class= "org.springframework.security.web.authentication.www.DigestAuthenticationFilter"> <property name="userDetailsService" ref="jdbcDaoImpl"/>

因此,在尝试在Java需求中翻译xml“需求”之后,我尝试创建一个摘要身份验证spring

假设我们在文档中有类似的xml:

<bean id="digestFilter" class=
    "org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
  <property name="userDetailsService" ref="jdbcDaoImpl"/>
  <property name="authenticationEntryPoint" ref="digestEntryPoint"/>
  <property name="userCache" ref="userCache"/>
</bean>

<bean id="digestEntryPoint" class=
    "org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
  <property name="realmName" value="Contacts Realm via Digest Authentication"/>
  <property name="key" value="acegi"/>
  <property name="nonceValiditySeconds" value="10"/>
</bean>
我刚接到403-拒绝访问。
与httpBasic一起工作。你能告诉我遗漏了什么吗?

我不确定你什么时候会被拒绝403访问,但如果在身份验证之前请求受保护的资源时发生这种情况,那么你需要:

@Override
protected void configure (HttpSecurity http) throws Exception
{
  http
      .exceptionHandling()
          // this entry point handles when you request a protected page and
          // you are not yet authenticated
          .authenticationEntryPoint(digestEntryPoint())
          .and()
      .authorizeUrls()
          .antMatchers("/firstres/*").permitAll()
          .antMatchers("/secondres/*").permitAll()
          .antMatchers("/resources/*").permitAll()
          .antMatchers("/**").hasAnyAuthority("first_role", "second_role").and()
      // the entry point on digest filter is used for failed authentication attempts
      .addFilter(digestAuthenticationFilter(digestEntryPoint()));
}

@Override
@Bean
public UserDetailsService userDetailsServiceBean() {
    return super.userDetailsServiceBean();
}

public DigestAuthenticationFilter digestAuthenticationFilter (
    DigestAuthenticationEntryPoint digestAuthenticationEntryPoint)
{
  DigestAuthenticationFilter digestAuthenticationFilter = new DigestAuthenticationFilter();
  digestAuthenticationFilter.setAuthenticationEntryPoint(digestEntryPoint());
  digestAuthenticationFilter.setUserDetailsService(userDetailsServiceBean());
  return digestAuthenticationFilter;
}
我不确定您何时被拒绝403访问,但如果在您进行身份验证之前请求受保护的资源时发生这种情况,则您需要:

@Override
protected void configure (HttpSecurity http) throws Exception
{
  http
      .exceptionHandling()
          // this entry point handles when you request a protected page and
          // you are not yet authenticated
          .authenticationEntryPoint(digestEntryPoint())
          .and()
      .authorizeUrls()
          .antMatchers("/firstres/*").permitAll()
          .antMatchers("/secondres/*").permitAll()
          .antMatchers("/resources/*").permitAll()
          .antMatchers("/**").hasAnyAuthority("first_role", "second_role").and()
      // the entry point on digest filter is used for failed authentication attempts
      .addFilter(digestAuthenticationFilter(digestEntryPoint()));
}

@Override
@Bean
public UserDetailsService userDetailsServiceBean() {
    return super.userDetailsServiceBean();
}

public DigestAuthenticationFilter digestAuthenticationFilter (
    DigestAuthenticationEntryPoint digestAuthenticationEntryPoint)
{
  DigestAuthenticationFilter digestAuthenticationFilter = new DigestAuthenticationFilter();
  digestAuthenticationFilter.setAuthenticationEntryPoint(digestEntryPoint());
  digestAuthenticationFilter.setUserDetailsService(userDetailsServiceBean());
  return digestAuthenticationFilter;
}
嗨,罗布。通过您的代码,我可以访问弹出窗口,但当我访问时,我会在org.springframework.security.web.authentication.www.DigestAuthenticationFilter.doFilter(DigestAuthenticationFilter.java:144)上得到一个NullPointerException。这是userDetailService.loadByUsername。如果你看到我的代码,那就是注释掉的部分。我应该向setAuthenticationDetailsSource传递什么?它不是AuthenticationDetailsSource,而是UserDetailsService。您需要重写userDetailsServiceBean方法并将其作为bean公开。然后您可以在配置中引用它。有关详细信息,请参阅我的更新。通过您的代码,我可以访问弹出窗口,但当我访问时,我会在org.springframework.security.web.authentication.www.DigestAuthenticationFilter.doFilter(DigestAuthenticationFilter.java:144)上得到一个NullPointerException。这是userDetailService.loadByUsername。如果你看到我的代码,那就是注释掉的部分。我应该向setAuthenticationDetailsSource传递什么?它不是AuthenticationDetailsSource,而是UserDetailsService。您需要重写userDetailsServiceBean方法并将其作为bean公开。然后您可以在配置中引用它。有关详细信息,请参见我的更新不要使用摘要身份验证。首先,它的安全性很弱,但最重要的是它要求服务器按原样存储密码材料(如果您的服务器受到威胁,攻击者可以以任何用户的身份登录)。不要使用摘要身份验证。它的安全性从一开始就很弱,但最重要的是它要求服务器按原样存储密码材料(如果您的服务器受到威胁,攻击者可以作为任何用户登录)。