我的api/登录帖子在使用spring security的grails 3上未经授权
我正在尝试使用access\u令牌授权来实现一个简单的Grails RESTFUL API 我在教程中遵循了一个示例,但在本例中我无法继续,因为我的localhost:8080/api/login url(我应该用来获取access_令牌的url)不起作用 我首先创建了grails 3 api,如下所示:我的api/登录帖子在使用spring security的grails 3上未经授权,spring,rest,grails,groovy,spring-security,Spring,Rest,Grails,Groovy,Spring Security,我正在尝试使用access\u令牌授权来实现一个简单的Grails RESTFUL API 我在教程中遵循了一个示例,但在本例中我无法继续,因为我的localhost:8080/api/login url(我应该用来获取access_令牌的url)不起作用 我首先创建了grails 3 api,如下所示: def init = { servletContext -> def adminUser = new User(username: "adminuser",
def init = { servletContext ->
def adminUser = new User(username: "adminuser",
password: "1234", enabled: true);
adminUser.save(flush:true)
def userUser = new User(username: "useruser",
password: "1234", enabled: true);
userUser.save(flush:true)
def userRole = Role.findByAuthority("ROLE_USER") ?: new Role("ROLE_USER")
def adminRole = Role.findByAuthority("ROLE_ADMIN") ?: new Role("ROLE_ADMIN")
userRole.save(flush:true)
adminRole.save(flush:true)
UserRole.create(adminUser, adminRole)
UserRole.create(userUser, userRole)
}
grails创建应用程序——概要RESTAPI——具有hibernate5、json视图和安全性
以下是我的安全域类:
我没有碰它们,它们是由Spring Security s2 quickstart coopoliova.backend.Security用户角色命令创建的
这是我的应用程序
grails.plugin.springsecurity.filterChain.chainMap = [
//Stateless chain
[
pattern: '/**',
filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
],
//Traditional, stateful chain
[
pattern: '/stateful/**',
filters: 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'
]
]
// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'coopoliva.backend.security.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'coopoliva.backend.security.UserRole'
grails.plugin.springsecurity.authority.className = 'coopoliva.backend.security.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
[pattern: '/', access: ['permitAll']],
[pattern: '/error', access: ['permitAll']],
[pattern: '/index', access: ['permitAll']],
[pattern: '/index.gsp', access: ['permitAll']],
[pattern: '/shutdown', access: ['permitAll']],
[pattern: '/assets/**', access: ['permitAll']],
[pattern: '/**/js/**', access: ['permitAll']],
[pattern: '/**/css/**', access: ['permitAll']],
[pattern: '/**/images/**', access: ['permitAll']],
[pattern: '/**/favicon.ico', access: ['permitAll']],
[pattern: '/api/rest', access: ['permitAll']]
]
grails.plugin.springsecurity.filterChain.chainMap = [
[pattern: '/assets/**', filters: 'none'],
[pattern: '/**/js/**', filters: 'none'],
[pattern: '/**/css/**', filters: 'none'],
[pattern: '/**/images/**', filters: 'none'],
[pattern: '/**/favicon.ico', filters: 'none'],
[pattern: '/**', filters: 'JOINED_FILTERS']
]
因此,我在引导程序上创建了几个用户,如下所示:
def init = { servletContext ->
def adminUser = new User(username: "adminuser",
password: "1234", enabled: true);
adminUser.save(flush:true)
def userUser = new User(username: "useruser",
password: "1234", enabled: true);
userUser.save(flush:true)
def userRole = Role.findByAuthority("ROLE_USER") ?: new Role("ROLE_USER")
def adminRole = Role.findByAuthority("ROLE_ADMIN") ?: new Role("ROLE_ADMIN")
userRole.save(flush:true)
adminRole.save(flush:true)
UserRole.create(adminUser, adminRole)
UserRole.create(userUser, userRole)
}
所以,理论上,;如果我发送一个带有凭证用户名:“useruser”、密码“1234”的POST请求,它应该可以工作
但是,这种情况发生了:
401未经授权
所以。。。为什么会这样?我只需要访问令牌,这样我就可以通过所有其他请求传递它
提前谢谢 您需要允许访问您的登录url
[pattern: 'api/login/**', access: ['permitAll']]
另外,grails.plugin.springsecurity.filterChain.chainMap的配置重复,发现了问题
这些密码:
def adminUser = new User(username: "adminuser",
password: "1234", enabled: true);
adminUser.save(flush:true)
def userUser = new User(username: "useruser",
password: "1234", enabled: true);
userUser.save(flush:true)
不是spring security service加密的密码,因此登录时将不正确:
这是添加用户的正确方法:
def adminUser = new User(username: "adminuser",
password: springSecurityService.encodePassword("1234"), enabled: true);
adminUser.save(flush:true)
def userUser = new User(username: "useruser",
password: springSecurityService.encodePassword("1234"), enabled: true);
userUser.save(flush:true)
谢谢大家的帮助 我认为@sudhir是正确的答案,你可以检查一下,这个回购协议来自Alvaro Sanchez,它使用spring security rest。我尝试了两种方法,但都是一样的。。。我在staticRules上添加了[pattern:'/api/**',access:['permitAll']],在chainMap上添加了[pattern:'/api/**',filters:'JOINED_filters'],没有成功。