java 使用基本身份验证保护 Spring Boot REST 应用程序
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/36514587/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Secure Spring Boot REST app with basic authentication
提问by Martin Melka
I have looked up articles about using Spring Security, but they do not quite answer my need. They usually deal with in-memory users and plaintext passwords.
我查阅了有关使用 Spring Security 的文章,但它们并不能完全满足我的需求。他们通常处理内存用户和明文密码。
What I want to achieve:
我想要达到的目标:
Clients authenticate using Basic Authentication.
客户端使用基本身份验证进行身份验证。
Secured Controller methods look like this:
安全控制器方法如下所示:
@RequestMapping(value = "/test")
public ResponseEntity test(@AuthenticationPrincipal MyUser user){
// Logic
}
I want the controller method to get a MyUser object in its parameters if the given user is authenticated or null if not.
如果给定用户已通过身份验证,我希望控制器方法在其参数中获取一个 MyUser 对象,否则为 null。
I am storing hashed password and salt of a user in a database, and I have a service which authenticates given username-password pair and returns a User object or null if authentication succeeded or failed, respectively.
我将散列密码和用户的盐存储在数据库中,并且我有一个服务,该服务对给定的用户名-密码对进行身份验证,并在身份验证成功或失败时分别返回一个 User 对象或 null。
All that needs to happen now is to intercept every request, look at the basic authentication header, pass the info to my custom authentication service and then pass its result into the controller method. Unfortunately I haven't been able to do that.
现在需要做的就是拦截每个请求,查看基本身份验证标头,将信息传递给我的自定义身份验证服务,然后将其结果传递给控制器方法。不幸的是,我无法做到这一点。
I read on using custom UserDetailsService, but that only seems to handle fetching user data from database, and not any authentication. I cannot figure out how to plug all the components together.
我继续阅读使用 custom UserDetailsService,但这似乎只处理从数据库中获取用户数据,而不是任何身份验证。我不知道如何将所有组件连接在一起。
Can you point me in the right direction how to get this rather simple workflow working?
你能指出我如何让这个相当简单的工作流程工作的正确方向吗?
EDIT
编辑
I am not using XML config and the only security related config I have is:
我没有使用 XML 配置,我拥有的唯一与安全相关的配置是:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**").csrf().disable();
http.authorizeRequests()
.antMatchers("/user").permitAll()
.antMatchers("/user/**").permitAll()
.anyRequest().authenticated();
}
}
采纳答案by eWizard
I think this article will be helpful, as i understand this is what you are trying to do http://www.baeldung.com/spring-security-authentication-provider
我认为这篇文章会有所帮助,因为我明白这就是你想要做的 http://www.baeldung.com/spring-security-authentication-provider
回答by jeet singh parmar
Basic authentication you can do in 3 different ways -
您可以通过 3 种不同方式进行基本身份验证 -
1 - Just add spring-security maven dependency
1 - 只需添加 spring-security Maven 依赖项
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Automatically enable basic authentication like username - "user" and password you can find out in console using default security password - "bdd42ed9-635d-422b-9430-ce463625fd2e"
自动启用基本身份验证,如用户名 - “用户”和密码,您可以使用默认安全密码在控制台中找到 - “bdd42ed9-635d-422b-9430-ce463625fd2e”
2 - create one configuration class for security like below code
2 - 为安全性创建一个配置类,如下面的代码
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationEntryPoint authEntryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().httpBasic();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
3 - one more way to do this add default username and password in application.properties file like below
3 - 另一种方法是在 application.properties 文件中添加默认用户名和密码,如下所示
security.user.name=user
security.user.password=password
and create config class like below code
并像下面的代码一样创建配置类
@Configuration
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().httpBasic();
}
}
still have some doubt then click on below link and watch this video
仍然有一些疑问,然后单击下面的链接并观看此视频
