我是 Spring 和 Spring Security 的新手,我似乎无法让它工作。我正在使用 Spring security 来保护 Web 服务。当我明确登录到我定义的 URL 时,我会收到针对安全请求的适当响应 - 401、200 等。但是,当我尝试测试通过curl 或海报在 header 中发送身份验证提供数据的实际网址时,我无法让它工作。
这是我的 servlet-security.xml 文件:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint">
<intercept-url pattern="/services/schedule/**" access="ROLE_USER, ROLE_ADMIN"/>
<custom-filter ref="myFilter" position="FORM_LOGIN_FILTER"/>
<!-- Adds a logout filter to Spring Security filter chain -->
<logout logout-url="/api/logout" delete-cookies="true" invalidate-session="true"
success-handler-ref="restLogoutSuccessHandler"/>
</http>
<beans:bean id="myFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationSuccessHandler" ref="mySuccessHandler"/>
<beans:property name="filterProcessesUrl" value="/api/login"/>
<beans:property name="usernameParameter" value="username"/>
<beans:property name="passwordParameter" value="password"/>
<beans:property name="postOnly" value="true"/>
</beans:bean>
<!-- Configures a custom authentication success handler that returns HTTP status code 200 -->
<beans:bean id="mySuccessHandler" class="com.touchvision.pilot.security.RestAuthenticationSuccessHandler"/>
<!-- Configures a custom authentication failure handler that returns HTTP status code 401 -->
<beans:bean id="restAuthenticationFailureHandler" class="com.touchvision.pilot.security.RestAuthenticationFailureHandler"/>
<!-- Configures a custom logout success handler that returns HTTP status code 200 -->
<beans:bean id="restLogoutSuccessHandler" class="com.touchvision.pilot.security.RestLogoutSuccessHandler"/>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="customUserDetailsService">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>
<!-- A custom service where Spring will retrieve users and their corresponding access levels -->
<beans:bean id="customUserDetailsService" class="com.touchvision.pilot.services.CustomUserDetailsService"/>
</beans:beans>
正如我所说,我可以通过将信用信息发布到/api/login 来正常登录。但是,当我尝试使用实际数据请求发送 header 中的身份验证时,我收到一条错误消息,显示“此请求需要 HTTP 身份验证”。我使用的curl命令是:
curl -u <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="cbaaafa6a2a58bbfa4bea8a3bda2b8a2a4a5e5a8a4a6" rel="noreferrer noopener nofollow">[email protected]</a>:admin123 "http://local.touchvision.com/services/schedule/list"
感谢您的所有帮助。
最佳答案
您只配置了一个表单登录过滤器 (UsernamePasswordAuthenticationFilter) 来处理 HTTP POST 请求中传递的表单参数,但服务器端没有任何内容可以处理 header 请求。
尝试配置一个BasicAuthenticationFilter,它将根据 header 中传递的信息对请求进行身份验证。
关于web-services - Spring Security 与 REST Web 服务 - 使用 Curl 测试时无法通过 header 进行身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/15005804/