无需表单登录即可通过 Spring Security 进行基本身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16220971/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Rest basic authentication via spring security without form-login
提问by Andy N
I am trying to create a restful web service that will be used by other web services. Ideally, when a client access the service, and isn't authenticated, they should get a 401. I want a user to be able to authenticate by adding an authentication header to the request. I don't want the user to fill out a login form, and post that. I also don't want it to store any login credentials in a cookie (ie keeping state) it should all be in the auth header send with each request. I have used spring roo to create the web service.
我正在尝试创建一个可供其他 Web 服务使用的宁静 Web 服务。理想情况下,当客户端访问服务并且未通过身份验证时,他们应该得到 401。我希望用户能够通过向请求添加身份验证标头来进行身份验证。我不希望用户填写登录表单,然后将其发布。我也不希望它在 cookie 中存储任何登录凭据(即保持状态),它应该全部在随每个请求发送的 auth 标头中。我已经使用 spring roo 创建了 Web 服务。
What I have currently, (taken from one of the spring security 3.1 tutorials), when the user gets a 401, they are promted with a login page, and then post the page, getting a cookie that they send with each request.
我目前所拥有的(取自 spring 安全 3.1 教程之一),当用户收到 401 时,会提示他们登录页面,然后发布该页面,获取他们随每个请求发送的 cookie。
Here is my spring security xml.
这是我的 spring 安全 xml。
<http use-expressions="true">
<intercept-url pattern="/customers/**" access="isAuthenticated()" />
<intercept-url pattern="/**" access="denyAll" />
<form-login />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="alice" password="other" authorities="user" />
<user name="custome1" password="other" authorities="user" />
</user-service>
</authentication-provider>
</authentication-manager>
When I send a request from curl, i get the following:
当我从 curl 发送请求时,我得到以下信息:
$ curl -i -H "Accept: application/json" -H "Authorization: Basic Y3VzdG9tZXIxOm90aGVy" http://localhost:8080/Secured/customers
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B4F983464F68199FA0160DBE6279F440; Path=/Secured/; HttpOnly
Location: http://localhost:8080/Secured/spring_security_login;jsessionid=B4F983464F68199FA0160DBE6279F440
Content-Length: 0
Date: Thu, 25 Apr 2013 17:18:48 GMT
where my basic header token is base64(customer1:other)
我的基本标头令牌是 base64(customer1:other)
How can I get the web service to accept the auth header, and not redirect me to a login page?
如何让 Web 服务接受 auth 标头,而不是将我重定向到登录页面?
When I remove the from security.xml, I get the following:
当我从 security.xml 中删除 时,我得到以下信息:
excpetion:org.springframework.beans.factory.parsing.BeanDefinitionParsingException:
Configuration problem: No AuthenticationEntryPoint could be established.
Please make sure you have a login mechanism configured through the namespace
(such as form-login) or specify a custom AuthenticationEntryPoint with the
'entry-point-ref' attribute
采纳答案by Andy N
I needed to remove <form-login>and add <http-basic>. Also added create-session-"stateless" to my config.
我需要删除<form-login>和添加<http-basic>. 还在我的配置中添加了 create-session-"stateless"。
<http use-expressions="true" create-session="stateless" >
<intercept-url pattern="/customers/**" access="isAuthenticated()" />
<intercept-url pattern="/**" access="denyAll" />
<http-basic/>
</http>
回答by Andrey
Here is an example non-xml configuration for Rest authentication or with form or with basic whatever needed:
这是用于 Rest 身份验证或使用表单或使用基本任何需要的非 xml 配置示例:
.and().httpBasic();
does the magic! ))
有魔法吗!))
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/someurl").hasRole("ADMIN")
.antMatchers("/anotherurl").hasRole("USER")
.antMatchers("/", "main").permitAll().anyRequest().authenticated()
.and()
.httpBasic();
http.formLogin()
.loginPage("/login").permitAll()
.and()
.logout().permitAll();
}
...
}
回答by Jayaram
follow this test demo of jax-rs with spring security http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/spring_security/
按照这个带有 spring 安全性的 jax-rs 测试演示 http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/spring_security/
this is simple approach for authentication without promoting credentials.
这是一种无需提升凭据即可进行身份验证的简单方法。
you may go with implementing RequestHandlerand overriding
你可以去实现RequestHandler和覆盖
public Response handleRequest(Message message, ClassResourceInfo resourceClass);
follow : http://cxf.apache.org/docs/secure-jax-rs-services.htmlfor complete set of approach.
按照:http: //cxf.apache.org/docs/secure-jax-rs-services.html获取完整的方法集。
