我目前正在使用Spring Security Ldap实现RestControllers。
登录成功,并且返回了用户信息。
当角度的前端想要调用我的Rest api时,问题就出现了,安全性返回了未经授权的状态。 (不应该像我应该登录一样)
我是春季安全的新手,所以也许我在配置中遗漏了一些简单的东西:)
以下是一些屏幕截图和配置代码示例(为了保密目的,我从屏幕截图中删除了一些数据):
GetDocuments unauthorised Details
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
@ComponentScan("com.*")
@PropertySource(value= {"classpath:application.properties"})
public class LdapSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private HttpAuthenticationEntryPoint authenticationEntryPoint;
@Autowired
private AuthSuccessHandler authSuccessHandler;
@Autowired
private AuthFailureHandler authFailureHandler;
@Autowired
private HttpLogoutSuccessHandler logoutSuccessHandler;
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
@Override
public UserDetailsService userDetailsServiceBean() throws Exception {
return super.userDetailsServiceBean();
}
@Bean
public AuthenticationProvider authenticationProvider() throws Exception {
LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(getBindAuthenticator());
ldapAuthenticationProvider.setUserDetailsContextMapper(new UserDetailsContextMapperImpl());
return ldapAuthenticationProvider;
}
@Override
protected AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authenticationProvider(authenticationProvider())
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint)
.and()
.csrf().disable()
.addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class)
.authorizeRequests().antMatchers(authorizeRequestsCurrentUser).permitAll()
.and()
.authorizeRequests().anyRequest().authenticated()
.and().rememberMe()
.and()
.formLogin()
.permitAll()
.loginProcessingUrl(loginProcessingUrl)
.usernameParameter(userNameParameter)
.passwordParameter(userPasswordParameter)
.successHandler(authSuccessHandler)
.failureHandler(authFailureHandler)
.and()
.logout().permitAll()
.deleteCookies("JSESSIONID")
.logoutRequestMatcher(new AntPathRequestMatcher(logoutRequestMatcher, RequestMethod.GET.name()))
.logoutSuccessHandler(logoutSuccessHandler)
.logoutSuccessUrl(logoutSuccessUrl)
.clearAuthentication(true)
.and()
.sessionManagement()
.maximumSessions(1);
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.eraseCredentials(false).authenticationProvider(authenticationProvider()).ldapAuthentication()
.userSearchFilter(ldapUserSearchFilter)
.groupSearchBase(ldapGroupSearchBase)
.userDetailsContextMapper(new UserDetailsContextMapperImpl())
.contextSource(getLdapContextSource());
}
private BindAuthenticator getBindAuthenticator()throws Exception{
LdapContextSource contextSource = getLdapContextSource();
String searchFilter=ldapSearchfilter;
FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(ldapSearchBase, searchFilter,contextSource);
userSearch.setSearchSubtree(true);
BindAuthenticator bindAuthenticator = new BindAuthenticator(contextSource);
bindAuthenticator.setUserSearch(userSearch);
bindAuthenticator.afterPropertiesSet();
return bindAuthenticator;
}
private LdapContextSource getLdapContextSource() throws Exception {
LdapContextSource cs = new LdapContextSource();
cs.setUrl(ldapUrl);
cs.setBase(ldapBase);
cs.setUserDn(ldapUserDn);
cs.setPassword(ldapPassword);
cs.setPooled(true);
cs.afterPropertiesSet();
return cs;
}
}
@Component
@Log4j
public class AuthSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
private final ObjectMapper mapper;
@Autowired
AuthSuccessHandler(MappingJackson2HttpMessageConverter messageConverter) {
this.mapper = messageConverter.getObjectMapper();
}
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
LdapUser authUser = (LdapUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
MyUser user = new MyUser();
user.setUsername(authUser.getUsername());
user.setPassword(cred);
// set our response to OK status
response.setStatus(HttpServletResponse.SC_OK);
response.setContentType(MediaType.APPLICATION_JSON_VALUE+"; charset=UTF-8");
PrintWriter writer = response.getWriter();
mapper.writeValue(writer, authUser);
writer.flush();
}
}
public class CORSFilter implements Filter{
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS,"true");
response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "*");
response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "POST, GET, OPTIONS, DELETE");
response.setHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE, "3600");
response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, "x-requested-with");
chain.doFilter(request, response);
}
public void destroy() {}
}
@Component
public class UserDetailsContextMapperImpl extends LdapUserDetailsMapper {
@Override
public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
Collection<? extends GrantedAuthority> authorities) {
UserDetails userDetails= super.mapUserFromContext(ctx,username,authorities);
String fullName = ctx.getStringAttribute("givenName");
String email = ctx.getStringAttribute("mail");
return new LdapUser((LdapUserDetails)userDetails,fullName,email);
}
}
@Log4j
@CrossOrigin
@RestController
@ComponentScan("com.*")
@RequestMapping(value = "${config.rest.uri.entry.path}", produces = MediaType.APPLICATION_JSON_VALUE)
public class DashboardController {
@Autowired
IDashboardService dashboardService;
@RequestMapping(value = "${config.rest.uri.dashboard.documents}",method = RequestMethod.GET,produces = MediaType.APPLICATION_JSON_VALUE)
public Result<List<DashboardDocument>> getDocumentList(@RequestParam(value="username") String username){
----------------
return result;
}
}
你有没有解决2年后的问题? :-P
我想做同样的事情,我对你的代码感兴趣,如果你分享它?
否则,我有办法,将其添加到你的onAuthenticationSuccess(在这里找到:https://www.baeldung.com/securing-a-restful-web-service-with-spring-security):
SavedRequest savedRequest
= requestCache.getRequest(request, response);
if (savedRequest == null) {
clearAuthenticationAttributes(request);
return;
}
String targetUrlParam = getTargetUrlParameter();
if (isAlwaysUseDefaultTargetUrl()
|| (targetUrlParam != null
&& StringUtils.hasText(request.getParameter(targetUrlParam)))) {
requestCache.removeRequest(request, response);
clearAuthenticationAttributes(request);
return;
}
clearAuthenticationAttributes(request);
为了让您的api知道用户已通过身份验证,请求必须包含身份验证信息。通常它会在请求标头中。 This spring教程展示了如何使用Angular来传递身份验证信息。请注意,这仅支持基本身份验证。
这是spring安全日志:
也许你已经找到了答案,但只是为了完整性,这里是一行代码导致你的restcontrollers请求访问被拒绝。在您的配置中,您使用.formLogin()作为将凭据传输到restcontrollers的方法,但是其他控制器是无会话的,它不会从您的会话中获取任何内容。您需要一种不同的方式将凭证从客户端传输到其他控制器。一种方法是将.formLogin()改为httpBasic()。