java - 休息Web服务中的Spring Security

标签 java spring spring-security

我正在尝试在restweb服务中实现spring security。

我总是收到“由于身份验证失败而正在输入”消息。它不会出现在 CustomAuthenticationProvider.java 中。我的代码从 CustomEntryPoint 返回我。我认为存在配置错误。

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xmlns:web="http://java.sun.com/xml/ns/javaee"
 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value> WEB-INF/security-config.xml

        </param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

  <servlet>
    <servlet-name>appServlet</servlet-name>
  <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

      <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/security-config.xml</param-value>
      </init-param>
     <load-on-startup>1</load-on-startup>
  </servlet>

  <servlet-mapping>
    <servlet-name>appServlet</servlet-name>
    <url-pattern>/</url-pattern>
  </servlet-mapping>

   <filter>
      <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
     </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping> 

<!--   <welcome-file-list>
    <welcome-file>/WEB-INF/index.jsp</welcome-file>
</welcome-file-list> -->
<!-- Tag Libary -->

</web-app>

Spring 安全文件

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-4.0.xsd
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
      http://www.springframework.org/schema/context
      http://www.springframework.org/schema/context/spring-context-4.0.xsd">

    <sec:http entry-point-ref="customEntryPoint" use-expressions="true">

        <sec:custom-filter ref="authenticationFilter"
            before="PRE_AUTH_FILTER" />

        <sec:intercept-url pattern="/**"
            access="hasAuthority('AUTH_USER')" />

        <sec:logout delete-cookies="JSESSIONID" />

        <sec:csrf disabled="true" />
    </sec:http>

    <context:component-scan base-package="org.arpit.java2blog" />

    <sec:authentication-manager alias="authenticationManager">
        <authentication-provider ref="customAuthenticationProvider" />
    </sec:authentication-manager>

    <!-- <context:component-scan base-package="org.arpit.java2blog" /> -->

    <beans:bean id="authenticationFilter"
        class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="postOnly" value="false" />
        <beans:property name="authenticationSuccessHandler" ref="customSuccessHandler" />
    </beans:bean>

    <beans:bean id="customSuccessHandler"   class="org.arpit.java2blog.controller.CustomSuccessHandler" />
        <beans:bean id="customAuthenticationProvider"   class="org.arpit.java2blog.controller.CustomAuthenticationProvider" />

</beans:beans>

类文件

package org.arpit.java2blog.controller;

import java.util.Collections;

import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.stereotype.Component;

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
    @Override
    public Authentication authenticate(Authentication auth) 
      throws AuthenticationException {
        String username = auth.getName();
        String password = auth.getCredentials()
            .toString();
        System.out.println(username +"::"+password);

        if ("user".equals(username) && "pass".equals(password)) {
            return new UsernamePasswordAuthenticationToken
              (username, password, Collections.emptyList());
        } else {
            throw new
              BadCredentialsException("External system authentication failed");
        }
    }

    @Override
    public boolean supports(Class<?> auth) {
        return auth.equals(UsernamePasswordAuthenticationToken.class);
    }
}

package org.arpit.java2blog.controller;
import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;

@Component
public class CustomEntryPoint implements AuthenticationEntryPoint
{

        @Override
        public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException
        {
                    System.out.println("Entering commence due to failed Authentication");
                 response.sendError( HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized Access!" );
        }

}

package org.arpit.java2blog.controller;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;


public class CustomSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler
{

        @Override
        public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException
        {
                System.out.println("authentication successful!");
        }
}

最佳答案

看起来您正在使用该 customEntryPoint 来制动过滤器链,因为它在任何身份验证之前运行,并且因为它发送response.sendError,如果链被破坏。因此,删除该入口点 bean。
您可以通过在 sec:http 部分中添加以下内容来注册自定义成功和失败处理程序:

<sec:form-login
        authentication-failure-handler-ref="authenticationFailedHandler"
        authentication-success-handler-ref="authenticationSuccessHandler" />

成功处理程序在哪里:

@Component
public class AuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws IOException, ServletException {
        // success
    }
}

和失败的处理程序:

@Component
public class AuthenticationFailedHandler extends SimpleUrlAuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
        // super.onAuthenticationFailure(request, response, exception);    
        // failed
    }
}

希望有帮助。

关于java - 休息Web服务中的Spring Security,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50735877/

上一篇:java - ChannelInboundHandlerAdapter 即时删除

下一篇:java - 将 HTTP 请求数据转换为枚举时捕获异常

相关文章:

java - 如何在Java中使用非标准变量名来生成XML标签?

java - 在测试期间排除 Spring Boot 中的 ApplicationListener @Component

java - Spring Batch - 资源不能为空

java - 基本身份验证 + JWT 与 Oauth2

java - 为什么 @Secured 无法在 Tapestry 5.4.0 中工作?

java - Hibernate 简单选择查询不返回任何内容

java - 使用 java 配置类时如何正确配置 Spring MVC webapp?

Java错误 "Exception in thread "主要“java.lang.ArrayIndexOutOfBoundsException”

java - 液碱 : link main yaml changelog from test

java - 如何使用 Spring Security ACL 获取用户有权访问的域对象列表?

©2024 IT工具网  联系我们