我想为 Hawt.io 配置 Spring Security
和嵌入式 tomcat。使用(用户和密码)自定义登录后,Hawt.io 登录要求进行身份验证。但是代码和配置中禁用了 Hawt.io 身份验证。如果我使用 security.basic.enable= false
删除 MvcConfig
和 WebSecurityConfig
然后没有任何有效的身份验证。但是
I want to authenticate with custom username and password which is working after that Hawt.io is also asking the credentials though that part is disabled.
请帮我解决这个问题。
application.properties
hawtio.authenticationEnabled = false
management.security.enabled=false
security.basic.enable= true
security.ignored= /**
login.html
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
<head>
<title>Spring Security Example </title>
</head>
<body>
<div th:if="${param.error}">
Invalid username and password.
</div>
<div th:if="${param.logout}">
You have been logged out.
</div>
<form th:action="@{/login}" method="post">
<div><label> User Name : <input type="text" name="username"/> </label></div>
<div><label> Password: <input type="password" name="password"/> </label></div>
<div><input type="submit" value="Sign In"/></div>
</form>
</body>
</html>
MvcConfig.java
@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
}
}
WebSecurityConfig.java
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/","/hawtio").permitAll().anyRequest().authenticated().and()
.formLogin().loginPage("/login")
.permitAll().and().logout().permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
应用程序.java
@SpringBootApplication
@EnableHawtio
public class Application {
public static void main(String[] args) {
System.setProperty(AuthenticationFilter.HAWTIO_AUTHENTICATION_ENABLED, "false");
SpringApplication.run(Application.class, args);
}
}
pom.xml
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.8.RELEASE</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>io.hawt</groupId>
<artifactId>hawtio-springboot</artifactId>
<version>1.5.6</version>
</dependency>
<dependency>
<groupId>io.hawt</groupId>
<artifactId>hawtio-core</artifactId>
<version>1.5.6</version>
</dependency>
</dependencies>
更新: 连接到虚拟 Camel 应用程序,如下所示,再次登录时会提供进入 404 错误页面的凭据。
最佳答案
要使 hawtio 与 Spring Security 和 Spring Boot 一起工作,需要进行以下更改。您可以找到一个工作示例 here . 但是,我无法更新 hawtio 菜单栏中的用户名。
配置Spring Security
以标准方式为应用程序配置 Spring 安全性,除了 一些特定于 hawtio 的更改:
禁用 hawtio 身份验证,
@SpringBootApplication @EnableHawtio @ComponentScan(basePackages = {"com.basaki"}) public class Application { public static void main(String[] args) { System.setProperty(AuthenticationFilter. HAWTIO_AUTHENTICATION_ENABLED,"false"); SpringApplication.run(Application.class, args); } }
在您的应用程序中禁用跨站点请求伪造 (CSRF)。
确保注销请求 URL 与
/hawtio/auth/logout/*
匹配。 这是 hawtio 用来使 session 无效的 URL。@Configuration @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { ... @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/").permitAll() .anyRequest().authenticated() .and().formLogin().loginPage("/login") .failureUrl("/login?error") .permitAll() .and().logout().logoutRequestMatcher( new AntPathRequestMatcher( "/hawtio/auth/logout/*")) .logoutSuccessUrl("/login?logout") .and().csrf().disable(); } ... }
登录页面
由于您使用的是表单登录,因此您将需要一个自定义登录页面。在此示例中,使用了
login.html
。配置
/login
请求以匹配 Viewlogin.html
@Configuration public class SpringMvcConfiguration extends WebMvcConfigurerAdapter { @Override public void addViewControllers(ViewControllerRegistry registry) { registry.addViewController("/login").setViewName("login"); } ... }
更新hawtio的login.html
一旦您从 hawtio 页面注销,它会将您带到它自己的登录页面。由于它是一个使用 AngularJS 的单页应用程序,您需要将这部分页面替换为您自己自定义的基于 AngularJS 的登录页面。
在此示例中,使用了
login-hawtio.html
页面。<div ng-controller="LoginPlugin.LoginController"> <h1 style="color: #78ab46;">Sign in</h1> <form action="/login" method="post"> <div> <label style="font-weight: 700; padding-right: 15px; padding-left: 15px;">Username: <input id="username" type="text" name="username" placeholder="Username"/> </label> </div> <div> <label style="font-weight: 700; padding-right: 15px; padding-left: 15px;">Password: <input id="password" type="password" name="password" required placeholder="Password"/> </label> </div> <div> <button type="submit" class="btn btn-default">Sign In</button> </div> </form> </div>
用于替换现有 hawtio 登录页面的 Controller 。
@Controller public class HawtioController { private ResourceLoader loader; @Autowired public HawtioController(ResourceLoader loader) { this.loader = loader; } @RequestMapping(value = "/hawtio/app/core/html/login.html", method = RequestMethod.GET, produces = "text/html;charset=UTF-8") public void getHawtioLoginHtml(HttpServletResponse response) { String location = "classpath:/templates/login-hawtio.html"; try { String body = getResource(location); response.setStatus(HttpStatus.OK.value()); response.getWriter().write(body); response.getWriter().flush(); response.getWriter().close(); } catch (IOException e) { response.setStatus(HttpStatus.NOT_FOUND.value()); } } ... }
hawtio登录插件
需要自定义 hawtio 插件才能拥有自己的 AngularJS 登录 Controller
LoginPlugin.LoginController
。用于从hawto的登录页面登录后重定向到hawtio的主页。@Configuration public class HawtioConfiguration { @Bean public HawtPlugin samplePlugin() { return new HawtPlugin("login-plugin", "/hawtio/plugins", "", new String[]{"plugin/js/login-plugin.js"}); } }
login-plugin.js
位于resources/app/webapp/plugin/js
文件夹下。var LoginPlugin = (function(LoginPlugin) { LoginPlugin.pluginName = 'login-plugin'; LoginPlugin.log = Logger.get('LoginPlugin'); LoginPlugin.module = angular.module('login-plugin', ['hawtioCore']) .config(function($routeProvider) { $routeProvider. when('/home', { templateUrl: '/hawtio/index.html' }); }); LoginPlugin.module.run(function(workspace, viewRegistry, layoutFull) { LoginPlugin.log.info(LoginPlugin.pluginName, " loaded"); viewRegistry["login-plugin"] = layoutFull; workspace.topLevelTabs.push({ id: "LoginPlugin", content: "Login Plugin", title: "Login plugin loaded dynamically", isValid: function(workspace) { return true; }, href: function() { return "#/login-plugin"; }, isActive: function(workspace) { return workspace.isLinkActive("login-plugin"); } }); }); LoginPlugin.LoginController = function($scope, $rootScope, $http) { var fullUrl = "/hawtio/index.html"; $http({method: 'GET', url: fullUrl}); }; return LoginPlugin; })(LoginPlugin || {}); hawtioPluginLoader.addModule(LoginPlugin.pluginName);
关于java - Hawt.io 的 Spring Security,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47558256/