Basic Auth不适用于多个配置

问题描述 投票:3回答:2

我正在尝试为已经配置了一些安全策略的应用程序中的一个特定路径设置基本身份验证。我正在使用Spring Boot 2.0

这是我的配置:

@Configuration
@EnableWebSecurity
class SecurityConfig {

    @Configuration
    @Order(1)
    inner class TokenWebSecurityConfig : WebSecurityConfigurerAdapter() {

        override fun configure(http: HttpSecurity) {
            http.antMatcher("/token")
                .authorizeRequests()
                .antMatchers(HttpMethod.POST, "/token").permitAll()
                .anyRequest().denyAll()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .csrf().disable()
        }
    }

    @Configuration
    @Order(2)
    inner class SignUpWebSecurityConfig(private val signUpBasicAuthConfig: SignUpBasicAuthConfig) :
        WebSecurityConfigurerAdapter() {

        override fun configure(http: HttpSecurity) {
            http
                .antMatcher("/signup")
                .csrf()
                .disable()
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .httpBasic()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        }

        override fun configure(auth: AuthenticationManagerBuilder) {
            auth.inMemoryAuthentication()
                .withUser(signUpBasicAuthConfig.username)
                .password(signUpBasicAuthConfig.password)
                .roles("USER")
        }
    }

    @Configuration
    @Order(3)
    inner class ApiWebSecurityConfig(private val service: TokenAuthenticationUserDetailsService) :
        WebSecurityConfigurerAdapter() {

        override fun configure(http: HttpSecurity) {
            http
                .antMatcher("/api/**")
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .addFilterBefore(authFilter(), RequestHeaderAuthenticationFilter::class.java)
                .authenticationProvider(preAuthProvider())
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .csrf().disable()
        }

        @Bean
        fun authFilter(): TokenAuthenticationFilter = TokenAuthenticationFilter()

        @Bean
        fun preAuthProvider(): AuthenticationProvider =
            PreAuthenticatedAuthenticationProvider().apply { setPreAuthenticatedUserDetailsService(service) }
    }

    @Configuration
    @Order(4)
    inner class HealthWebSecurityConfig : WebSecurityConfigurerAdapter() {

        override fun configure(http: HttpSecurity) {
            http.authorizeRequests().antMatchers(HttpMethod.GET, "/health").permitAll()
        }
    }

    @Configuration
    class AuthenticationManagerProvider : WebSecurityConfigurerAdapter() {

        @Bean
        override fun authenticationManagerBean(): AuthenticationManager = super.authenticationManagerBean()
    }
}

@Order(2)配置总是失败。日志:

14:23:00.318 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/signup'; against '/token'
14:23:00.319 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/signup'; against '/signup'
14:23:00.320 [http-nio-8080-exec-1] DEBUG o.s.security.web.FilterChainProxy - /signup at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
14:23:00.321 [http-nio-8080-exec-1] DEBUG o.s.security.web.FilterChainProxy - /signup at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
14:23:00.322 [http-nio-8080-exec-1] DEBUG o.s.security.web.FilterChainProxy - /signup at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
14:23:00.324 [http-nio-8080-exec-1] DEBUG o.s.security.web.FilterChainProxy - /signup at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
14:23:00.324 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
14:23:00.324 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'POST /signup' doesn't match 'GET /logout
14:23:00.324 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
14:23:00.324 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/signup'; against '/logout'
14:23:00.324 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
14:23:00.325 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'POST /signup' doesn't match 'PUT /logout
14:23:00.325 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
14:23:00.325 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'POST /signup' doesn't match 'DELETE /logout
14:23:00.325 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
14:23:00.325 [http-nio-8080-exec-1] DEBUG o.s.security.web.FilterChainProxy - /signup at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
14:23:00.325 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.w.BasicAuthenticationFilter - Basic Authentication Authorization header found for user 'username'
14:23:00.327 [http-nio-8080-exec-1] DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
14:23:00.473 [http-nio-8080-exec-1] WARN  o.s.s.c.bcrypt.BCryptPasswordEncoder - Encoded password does not look like BCrypt
14:23:00.473 [http-nio-8080-exec-1] DEBUG o.s.s.a.d.DaoAuthenticationProvider - Authentication failed: password does not match stored value
14:23:00.474 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.w.BasicAuthenticationFilter - Authentication request for failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
14:23:00.474 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
14:23:00.474 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@44d29834

在我看来,由于某种原因,内存AuthenticationManager没有使用。任何的想法?

spring spring-boot spring-security
2个回答
0
投票

我遇到了类似的问题,因为从2.0版开始,密码需要有一个前缀来指示它们是如何加密的。例如,bcrypt密码看起来像这样:

{bcrypt}2187jbfsafsd

如果这不能立即起作用,我还做了一些编辑,使其在我的应用程序中工作:

我首先创建了一个Passwordencoder bean并将其粘贴到securityconfig中:

@Bean
public static PasswordEncoder passwordEncoder() {
   return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}

然后我修改了DaoAuthenticationProvider(也在securityconfig中):

@Bean
public DaoAuthenticationProvider authenticationProvider() {
    final DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
    authProvider.setUserDetailsService(userDetailsService);
    authProvider.setPasswordEncoder(passwordEncoder);
    return authProvider;
}

最后我将编码器自动装入securityconfig:

@Autowired
private PasswordEncoder passwordEncoder;

我希望这可以帮助你


0
投票

我认为你的问题与拥有多个WebSecurityConfigurerAdapter实例并期望它们都被使用有关,据我所知Spring只会使用一个。这已经在这里进一步讨论:Using multiple WebSecurityConfigurerAdapter in spring boot

My preferred solution是定义一个特殊的接口

public interface ServiceWebSecurityConfigurer {
    void configure(HttpSecurity http) throws Exception;
}

然后只有一个ConfigurerAdapter:

public class MyConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Autowired(required = false)
    List<ServiceWebSecurityConfigurer> securityConfigurers;

    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests(). // whatever

        for (ServiceWebSecurityConfigurer serviceSecConfig: securityConfigurers)
            serviceSecConfig.configure(http);

        http.authorizeRequests(). // whatever
    }
}
© www.soinside.com 2019 - 2024. All rights reserved.