我有Spring WS的SOAP模拟服务。我正在尝试添加基本的http身份验证。我使用这种web服务配置:
@EnableWs
@Configuration
public class WebServiceConfig extends WsConfigurerAdapter {
@Bean
public ServletRegistrationBean messageDispatcherServlet(ApplicationContext applicationContext) {
MessageDispatcherServlet servlet = new MessageDispatcherServlet();
servlet.setApplicationContext(applicationContext);
return new ServletRegistrationBean(servlet);
}
@Bean(name = "cards")
public Wsdl11Definition wsdlDefinition() {
SimpleWsdl11Definition wsdl11Definition = new SimpleWsdl11Definition();
wsdl11Definition.setWsdl(new ClassPathResource("cards.wsdl"));
return wsdl11Definition;
}
}
而这种弹簧安全配置:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests().anyRequest().authenticated()
.and().httpBasic()
.and().authorizeRequests().antMatchers("*.wsdl").permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
但是当我运行spring-boot并将请求发送到服务时,即使没有身份验证,它也会返回响应。我配置错了什么?
upd:如果我运行spring-boot并对配置进行以下更改:
//@EnableWs
@Configuration
public class WebServiceConfig extends WsConfigurerAdapter {
//@Bean
//public ServletRegistrationBean messageDispatcherServlet(ApplicationContext applicationContext) {
// MessageDispatcherServlet servlet = new MessageDispatcherServlet();
// servlet.setApplicationContext(applicationContext);
// return new ServletRegistrationBean(servlet);
//}
@Bean(name = "cards")
public Wsdl11Definition wsdlDefinition() {
SimpleWsdl11Definition wsdl11Definition = new SimpleWsdl11Definition();
wsdl11Definition.setWsdl(new ClassPathResource("cards.wsdl"));
return wsdl11Definition;
}
}
它工作正常(要求auth请求)但url映射更改为[/ services / *],这是我不希望的映射。对不起,我是Spring的新手。
尝试,
正如@denium所指出的那样
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.antMatchers("*.wsdl").permitAll()
.anyRequest().authenticated().hasRole("USER")
.and().httpBasic();
}
我刚刚遇到同样的问题而且有我的解决方案。代码中的permitAll()应用于已经过身份验证的用户,您需要使用方法configure(WebSecurity Web)将URL添加到忽略列表中。而且我认为过滤“* .wsdl”并不适用,我使用“/**/*.wsdl”
有我工作的WebSecurityConfig类
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//Enforce basic auth
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.httpBasic()
.and().authorizeRequests().anyRequest().authenticated();
}
//Ignore basic auth for WSDL URL
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/**/*.wsdl");
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
//TODO - do parametru
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
只需复制粘贴此代码您的“WebServiceConfig”类
@Bean
public SimplePasswordValidationCallbackHandler securityCallbackHandler() {
SimplePasswordValidationCallbackHandler callbackHandler = new SimplePasswordValidationCallbackHandler();
Properties users = new Properties();
users.setProperty("AAA", "BBB");
callbackHandler.setUsers(users);
return callbackHandler;
}
@Bean
public Wss4jSecurityInterceptor securityInterceptor() {
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
securityInterceptor.setValidationActions("UsernameToken");
securityInterceptor.setSecurementMustUnderstand(true);
securityInterceptor.setSecurementUsername("setusername");
securityInterceptor.setSecurementPassword("setpassword");
securityInterceptor.setValidationCallbackHandler(securityCallbackHandler());
return securityInterceptor;
}
@Override
public void addInterceptors(List interceptors) {
interceptors.add(securityInterceptor());
}