基本身份验证在Spring-Boot WS Soap服务中不起作用

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了基本身份验证在Spring-Boot WS Soap服务中不起作用相关的知识,希望对你有一定的参考价值。

我有Spring WS的SOAP模拟服务。我正在尝试添加基本的http身份验证。我使用这种web服务配置:

@EnableWs
@Configuration
public class WebServiceConfig extends WsConfigurerAdapter {

@Bean
public ServletRegistrationBean messageDispatcherServlet(ApplicationContext applicationContext) {
    MessageDispatcherServlet servlet = new MessageDispatcherServlet();
    servlet.setApplicationContext(applicationContext);
    return new ServletRegistrationBean(servlet);
}

@Bean(name = "cards")
public Wsdl11Definition wsdlDefinition() {
    SimpleWsdl11Definition wsdl11Definition = new SimpleWsdl11Definition();
    wsdl11Definition.setWsdl(new ClassPathResource("cards.wsdl"));
    return wsdl11Definition;
}
}

而这种弹簧安全配置:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
      .authorizeRequests().anyRequest().authenticated()
      .and().httpBasic()
      .and().authorizeRequests().antMatchers("*.wsdl").permitAll();
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth
            .inMemoryAuthentication()
            .withUser("user").password("password").roles("USER");
}

但是当我运行spring-boot并将请求发送到服务时,即使没有身份验证,它也会返回响应。我配置错了什么?

upd:如果我运行spring-boot并对配置进行以下更改:

//@EnableWs
@Configuration
public class WebServiceConfig extends WsConfigurerAdapter {

//@Bean
//public ServletRegistrationBean messageDispatcherServlet(ApplicationContext applicationContext) {
//    MessageDispatcherServlet servlet = new MessageDispatcherServlet();
//    servlet.setApplicationContext(applicationContext);
//    return new ServletRegistrationBean(servlet);
//}

@Bean(name = "cards")
public Wsdl11Definition wsdlDefinition() {
    SimpleWsdl11Definition wsdl11Definition = new SimpleWsdl11Definition();
    wsdl11Definition.setWsdl(new ClassPathResource("cards.wsdl"));
    return wsdl11Definition;
}
}

它工作正常(要求auth请求)但url映射更改为[/ services / *],这是我不希望的映射。对不起,我是Spring的新手。

答案

尝试,

正如@denium所指出的那样

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
      .antMatchers("*.wsdl").permitAll()
      .anyRequest().authenticated().hasRole("USER")
      .and().httpBasic();

}
另一答案

我刚刚遇到同样的问题而且有我的解决方案。代码中的permitAll()应用于已经过身份验证的用户,您需要使用方法configure(WebSecurity Web)将URL添加到忽略列表中。而且我认为过滤“* .wsdl”并不适用,我使用“/**/*.wsdl”

有我工作的WebSecurityConfig类

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

//Enforce basic auth
@Override
protected void configure(HttpSecurity http) throws Exception {
     http.csrf().disable()
      .httpBasic()
      .and().authorizeRequests().anyRequest().authenticated();
}

//Ignore basic auth for WSDL URL
@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/**/*.wsdl");
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    //TODO - do parametru
    auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
另一答案

只需复制粘贴此代码您的“WebServiceConfig”类

@Bean
   public SimplePasswordValidationCallbackHandler securityCallbackHandler() {
                SimplePasswordValidationCallbackHandler callbackHandler = new SimplePasswordValidationCallbackHandler();
                Properties users = new Properties();
                users.setProperty("AAA", "BBB");
                callbackHandler.setUsers(users);
                return callbackHandler;
            }

            @Bean
            public Wss4jSecurityInterceptor securityInterceptor() {
                Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
                securityInterceptor.setValidationActions("UsernameToken");
                securityInterceptor.setSecurementMustUnderstand(true);
                securityInterceptor.setSecurementUsername("setusername");
                securityInterceptor.setSecurementPassword("setpassword");
                securityInterceptor.setValidationCallbackHandler(securityCallbackHandler());
                return securityInterceptor;
            }

            @Override
            public void addInterceptors(List interceptors) {
                interceptors.add(securityInterceptor());
            }

以上是关于基本身份验证在Spring-Boot WS Soap服务中不起作用的主要内容,如果未能解决你的问题,请参考以下文章

spring-boot 在单个 Web 应用程序路径上设置基本身份验证?

Spring-Boot REST 服务基本 http 身份验证排除一个端点

在 Spring Security(spring-boot 项目)中使用 ldap 凭据进行 Http 基本身份验证以保护休息服务调用

具有基本身份验证的 Jersey cors 不起作用

SOA:Rails 多个客户端的用户身份验证和 api 授权

在 spring-boot 中禁用特定 url 的 Keycloak 身份验证