我有一个独立的 Tomcat 服务器,它应该运行我的 Spring Boot 应用程序(部署为 .war
文件)。此应用程序需要使用来自 Tomcat 的容器身份验证来保护。首先它应该在开发环境中使用tomcat-users.xml
。在生产环境中,这个领域将被另一种身份验证方法取代。
我的配置:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().disable()
.authorizeRequests()
.antMatchers("/test/test2").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().permitAll()
.and()
.logout().permitAll()
.and()
.jee().mappableRoles("USER");
}
}
Tomcat 用户:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0">
<user username="testuser" password="pw" roles="user" />
</tomcat-users>
在安全页面上,表单登录显示如预期,但身份验证不起作用(您的登录尝试不成功,请重试。)。
配置中还缺少其他东西吗?
日志:
09:53:40 DEBUG o.s.security.web.FilterChainProxy : /login at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
09:53:40 DEBUG o.s.security.web.FilterChainProxy : /login at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
09:53:40 DEBUG w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
09:53:40 DEBUG w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@22ea93f6. A new one will be created.
09:53:40 DEBUG o.s.security.web.FilterChainProxy : /login at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
09:53:40 DEBUG o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@738151d2
09:53:40 DEBUG o.s.security.web.FilterChainProxy : /login at position 4 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /login' doesn't match 'GET /logout
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/logout'
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /login' doesn't match 'PUT /logout
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /login' doesn't match 'DELETE /logout
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher : No matches found
09:53:40 DEBUG o.s.security.web.FilterChainProxy : /login at position 5 of 13 in additional filter chain; firing Filter: 'J2eePreAuthenticatedProcessingFilter'
09:53:40 DEBUG p.j.J2eePreAuthenticatedProcessingFilter : Checking secure context token: null
09:53:40 DEBUG p.j.J2eePreAuthenticatedProcessingFilter : PreAuthenticated J2EE principal: null
09:53:40 DEBUG p.j.J2eePreAuthenticatedProcessingFilter : No pre-authenticated principal found in request
09:53:40 DEBUG o.s.security.web.FilterChainProxy : /login at position 6 of 13 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/login'
09:53:40 DEBUG w.a.UsernamePasswordAuthenticationFilter : Request is to process authentication
09:53:40 DEBUG o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
09:53:40 DEBUG o.s.s.a.dao.DaoAuthenticationProvider : User 'testuser' not found
09:53:40 DEBUG o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
09:53:40 DEBUG w.a.UsernamePasswordAuthenticationFilter : Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
最佳答案
我找不到任何最终解决方案,但是 this hint helped me让它发挥作用。似乎至少需要一个 web.xml
来“激活”容器身份验证。然后 Spring Security 可以将其处理为预身份验证。
不幸的是,在此解决方案中,容器身份验证的权限(角色)不存在。因此,我不得不完全删除 Spring Security,只使用 web.xml
(和 context.xml
)。
关于tomcat - 使用独立 Tomcat 的 Spring Boot 容器身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44152310/