我一直在尝试遵循本教程:
https://www.baeldung.com/spring-security-basic-authentication
我创建了几个这样的休息端点:
@RestController
public class PostController {
@Autowired
PostCommentService postCommentService;
@Autowired
PostService postService;
@GetMapping("/comment")
public PostComment getComment(@RequestParam Long id) {
return postCommentService.findPostCommentById(id);
}
@PostMapping("/createPost")
public void createPost(@RequestBody PostDTO body){
postService.createPost(body);
}
}
现在为了安全起见,我像这样使用 spring:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.2.RELEASE</version>
<relativePath/>
</parent>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
这是 Spring Security 的配置类:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MyBasicAuthenticationEntryPoint authenticationEntryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers( "/comment").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic()
.authenticationEntryPoint(authenticationEntryPoint);
http.addFilterAfter(new CustomFilter(),
BasicAuthenticationFilter.class);
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(passwordEncoder().encode("password"))
.authorities("ROLE_USER");
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
CustomFilter 看起来像这样:
public class CustomFilter extends GenericFilterBean {
@Override
public void doFilter(
ServletRequest request,
ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(request, response);
}
}
这是 AuthenticationEntryPoint:
@Component
public class MyBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authEx)
throws IOException {
response.addHeader("WWW-Authenticate", "Basic realm= + getRealmName() + ");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
PrintWriter writer = response.getWriter();
writer.println("HTTP Status 401 - " + authEx.getMessage());
}
@Override
public void afterPropertiesSet(){
setRealmName("spring");
super.afterPropertiesSet();
}
}
现在的问题是,每当我尝试发送 POST 请求时,我最终都会收到此错误消息:
HTTP 状态 401 - 访问此资源需要完全身份验证
我尝试了两种发送请求的方法,一种是通过邮递员
第二个通过 curl:
curl -i --user admin:password --request POST --data {"text":"this is a new Post"} http://localhost:8080/createPost
我在这里不知所措,因此需要创建这篇文章。任何帮助都感激不尽。
这是 curl 响应,以防它可能阐明问题:
1.1 401 Set-Cookie:JSESSIONID=6FE84B06E90BE7F2348C0935FE3DA971;路径=/;HttpOnly X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY WWW-Authenticate: Basic realm= + getRealmName() + 内容长度:75 日期:2020 年 9 月 10 日星期四 13:47:14 GMT
HTTP 状态 401 - 访问此资源需要完全身份验证
发生这种情况是因为 Spring Security 默认启用了 CSRF 保护(并且有充分的理由)。您可以在此处阅读有关跨站点请求伪造的信息。在您的情况下, CsrfFilter 检测到缺少或无效的 CSRF 令牌,您将收到 401 响应。使您的示例工作的最简单方法是在您的安全配置中禁用 csrf-ing,但是,当然,您不应该在实际应用程序中这样做。
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.authorizeRequests()
.antMatchers( "/comment").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic()
.authenticationEntryPoint(authenticationEntryPoint);
http.addFilterAfter(new CustomFilter(),
BasicAuthenticationFilter.class);
}
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句