Context
Spring Boot
Http Basic
问题
当我尝试使用数据库中的数据登录时,出现401未经授权的错误。如果我使用Inmemorydatabase,它可以正常工作。我还打印了用户名和密码,并在邮递员的输入字段中输入了它,但仍然无法使用。
这是我的安全性配置类:
package com.example.demo.security;
import com.example.demo.service.UserDetailsServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Autowired
UserDetailsServiceImpl userDetailsService;
DaoAuthenticationProvider authenticationProvider(){
DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
daoAuthenticationProvider.setUserDetailsService(userDetailsService);
return daoAuthenticationProvider;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider());
}
}
和我的UserDetailsService类:
package com.example.demo.service;
import com.example.demo.model.Student;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
@Autowired
private StudentService data;
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
Student std = data.loadByUsername(s);
if(std == null)
throw new UsernameNotFoundException("User not found");
return new UserDetailsImpl(std);
}
}
学生具有此属性:
private UUID id;
private String name;
private String lname;
private Integer age;
private String number;
private String password;
private String role;
尝试禁用csrf
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
}
也请仔细阅读CSRF protection上的文档
您何时应使用CSRF保护?我们的建议是使用CSRF保护浏览器可以处理的任何请求,普通用户。如果您仅创建供以下人员使用的服务非浏览器客户端,您可能需要禁用CSRF保护。