SpringSecurity提供错误401错误凭据
我是Spring Security的新手,正在创建一个简单的应用程序来检查身份验证和授权。我正在使用内存数据库。即使我提供了正确的登录凭据,我也会收到错误401“错误凭据”错误。 我还在一些rest端点上使用了permitAll()函数,但在这些端点上也会得到登录提示。我试图清除浏览器历史记录和缓存,但也没有成功。请帮忙。我附上代码 SecurityConfig.javaSpringSecurity提供错误401错误凭据,spring,spring-boot,spring-mvc,spring-security,spring-boot-actuator,Spring,Spring Boot,Spring Mvc,Spring Security,Spring Boot Actuator,我是Spring Security的新手,正在创建一个简单的应用程序来检查身份验证和授权。我正在使用内存数据库。即使我提供了正确的登录凭据,我也会收到错误401“错误凭据”错误。 我还在一些rest端点上使用了permitAll()函数,但在这些端点上也会得到登录提示。我试图清除浏览器历史记录和缓存,但也没有成功。请帮忙。我附上代码 SecurityConfig.java package com.example.demo; import org.springframework.bean
package com.example.demo;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
//Authentication using In Memory Database
public void configureGlobal(AuthenticationManagerBuilder authenticationManagerBuilder)throws Exception{
authenticationManagerBuilder.inMemoryAuthentication()
.withUser("user").password("{noop}pass123").authorities("ROLE_USER")
.and()
.withUser("admin").password("{noop}pass123").authorities("ROLE_USER","ROLE_ADMIN");
}
//Authorization
@Override //Overriding configure to use HttpSecurity for web based HTTP requests
public void configure(HttpSecurity httpSecurity)throws Exception{
httpSecurity.
authorizeRequests()
.antMatchers("/protectedbyuserrole*").hasRole("USER")
.antMatchers("/protectedbyadminrole*").hasRole("ADMIN")
.antMatchers("/","/notprotected").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic();
}
}
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Import;
@SpringBootApplication
@ComponentScan({"com.example.demo","controller"})
@Import({SecurityConfig.class})
public class SpringSecurityApplication {
public static void main(String[] args) {
SpringApplication.run(SpringSecurityApplication.class, args);
}
}
package com.example.controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class TestSecurityController {
@RequestMapping("/")
public String Hello() {
return "Hello World!! ";
}
@RequestMapping("/notprotected")
public String HelloAgain() {
return "Hello from a non protected user!! ";
}
@RequestMapping("/protectedbyuserrole")
public String HelloUser() {
return "Hello User Role!! ";
}
@RequestMapping("/protectedbyadminrole")
public String HelloAdmin() {
return "Hello Admin Role!! ";
}
}
package com.example.demo;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
//Authentication using In Memory Database
public void configureGlobal(AuthenticationManagerBuilder authenticationManagerBuilder)throws Exception{
authenticationManagerBuilder.inMemoryAuthentication()
.withUser("user").password("{noop}pass123").authorities("ROLE_USER")
.and()
.withUser("admin").password("{noop}pass123").authorities("ROLE_USER","ROLE_ADMIN");
}
//Authorization
@Override //Overriding configure to use HttpSecurity for web based HTTP requests
public void configure(HttpSecurity httpSecurity)throws Exception{
httpSecurity.
authorizeRequests()
.antMatchers("/protectedbyuserrole*").hasRole("USER")
.antMatchers("/protectedbyadminrole*").hasRole("ADMIN")
.antMatchers("/","/notprotected").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic();
}
}
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Import;
@SpringBootApplication
@ComponentScan({"com.example.demo","controller"})
@Import({SecurityConfig.class})
public class SpringSecurityApplication {
public static void main(String[] args) {
SpringApplication.run(SpringSecurityApplication.class, args);
}
}
package com.example.controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class TestSecurityController {
@RequestMapping("/")
public String Hello() {
return "Hello World!! ";
}
@RequestMapping("/notprotected")
public String HelloAgain() {
return "Hello from a non protected user!! ";
}
@RequestMapping("/protectedbyuserrole")
public String HelloUser() {
return "Hello User Role!! ";
}
@RequestMapping("/protectedbyadminrole")
public String HelloAdmin() {
return "Hello Admin Role!! ";
}
}
package com.example.demo;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
//Authentication using In Memory Database
public void configureGlobal(AuthenticationManagerBuilder authenticationManagerBuilder)throws Exception{
authenticationManagerBuilder.inMemoryAuthentication()
.withUser("user").password("{noop}pass123").authorities("ROLE_USER")
.and()
.withUser("admin").password("{noop}pass123").authorities("ROLE_USER","ROLE_ADMIN");
}
//Authorization
@Override //Overriding configure to use HttpSecurity for web based HTTP requests
public void configure(HttpSecurity httpSecurity)throws Exception{
httpSecurity.
authorizeRequests()
.antMatchers("/protectedbyuserrole*").hasRole("USER")
.antMatchers("/protectedbyadminrole*").hasRole("ADMIN")
.antMatchers("/","/notprotected").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic();
}
}
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Import;
@SpringBootApplication
@ComponentScan({"com.example.demo","controller"})
@Import({SecurityConfig.class})
public class SpringSecurityApplication {
public static void main(String[] args) {
SpringApplication.run(SpringSecurityApplication.class, args);
}
}
package com.example.controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class TestSecurityController {
@RequestMapping("/")
public String Hello() {
return "Hello World!! ";
}
@RequestMapping("/notprotected")
public String HelloAgain() {
return "Hello from a non protected user!! ";
}
@RequestMapping("/protectedbyuserrole")
public String HelloUser() {
return "Hello User Role!! ";
}
@RequestMapping("/protectedbyadminrole")
public String HelloAdmin() {
return "Hello Admin Role!! ";
}
}
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.19.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>SpringSecurity-1</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>SpringSecurity-1</name>
<description>SpringSecurity for Authentication and Authorization</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
4.0.0
org.springframework.boot
在RequestMapping中指定特定方法(GET、POST等)是您可能需要遵循的良好实践
我分享了一个我过去做过的基本例子。
您可以在浏览器中尝试使用用户名作为myusername,密码作为mypassword
如果你仍然面临这个问题,让我知道你的邮递员截图
@Override
public void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication()
.withUser("myusername")
.password("mypassword")
.roles("USER");
}
编辑
映射使用以下规则匹配URL:
- ??匹配一个字符
- 匹配零个或多个字符
- **匹配路径中的零个或多个目录
{spring:[a-z]+}匹配regexp[a-z]+作为名为“spring”的路径变量
你能发布你的pom/构建文件吗?请检查。我已经更新了我的POM文件。除了已回答的问题之外,在您的邮递员屏幕截图中,您使用了用户名user123
和密码pass
,但在安全配置中,您有用户名user
和密码pass123
,因此这些也不匹配。用户名和密码不同,因为我更改了凭据以进行检查。请不要破坏您的帖子。您可以删除一些与问题无关的代码。但请编辑它,使其不会使下面提供的答案无效。根据SE政策,任何故意破坏行为都将恢复原状。如果您想解除此帖子与您的帐户的关联,请参阅HttpSecurity代码块(第二个)中的。我是否应该将.antMatchers(HttpMethod.GET,“/user/**”)中的“/user/**”替换为.antMatchers(HttpMethod.GET,“/protectedbyuser/**”)。根据我的上述代码逻辑,hasAnyRole(“ADMIN”,“user”)替换为.antMatchers(HttpMethod.GET,“/protectedbyuser/**”)。hasAnyRole(“ADMIN”,“user”)?我试图改变这种方式,但现在我得到错误403访问被拒绝,而不是错误401坏凭据。请根据我的程序帮助我进行哪些更改。是的,您可以根据自己的要求编写任何请求名称,但最好的做法是使用用户。因此,现在凭据是有效的,您将获得403禁止。做一件事,在浏览器中使用相同的凭据登录,而不是使用邮递员成功登录后尝试使用邮递员请共享您的邮递员屏幕快照然后我认为我需要相应地更改我的REST端点的名称,因为从我的代码中可以看到,目前我已将protectedbyuser添加为端点,而不仅仅是用户。我只是把它用于测试目的。我无法在这里添加截图,所以我添加了关于主要问题的邮递员截图。请检查。查看编辑并使用您的用户管理员凭据登录所有访问权限,以及使用您的用户凭据登录有限访问权限。在您编写的不同antmatcher查询中,应该使用哪个HTTP方法登录?得到还是邮寄?我很困惑,因为这里我们没有向DB发布任何内容,因此没有发布点。我错了吗?