实施URL身份验证的春季安全性时拒绝URL访问
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了实施URL身份验证的春季安全性时拒绝URL访问相关的知识,希望对你有一定的参考价值。
我正在尝试实现URL认证,然后再通过业务逻辑给出响应。为此,我正在使用Spring Security的身份验证提供程序,并尝试做一个简单的演示来测试authenticationProvider的正常工作。之后,我将通过添加业务逻辑来进行修改,
我的安全性配置文件SecurityConfig.java如下,
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthenticationProvider authenticationProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
.anyRequest()
.authenticated()
.and().httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
{
auth.authenticationProvider(authenticationProvider);
}
}
以及下面的My CustomAuthenticationProvider.java实现,
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider
{
@SuppressWarnings("unused")
@Override
public Authentication authenticate(Authentication authToken) throws AuthenticationException {
String userToken = (String) authToken.getName();
String responseString = "test";
String password = "test";
if(responseString.equals(userToken)) {
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userToken, password);
return auth;
}
else {
return null;
}
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
还有我的TestSecurity.java如下所示,
@RestController
public class TestSecurity {
@GetMapping("/security/load")
public String LoadSecureUsers() {
return "hello spring security";
}
}
当我从POSTMAN应用程序中调用带有标题localhost:8585/security/load的URL authToken: "test"时,我得到以下信息,
{
"timestamp": "2019-10-30T07:24:25.165+0000",
"status": 401,
"error": "Unauthorized",
"message": "Unauthorized",
"path": "/security/load"
}
如果IF中的条件满足,那么URL如何无法访问?我在身份验证提供程序实现中是否犯了任何错误?
任何人都可以帮助解决我的URL访问问题吗?
答案
而不是AuthenticationProvider使用过滤器来处理请求。此代码可能会帮助您:
public class ApplicationAuthFilter extends BasicAuthenticationFilter {
public ApplicationAuthFilter(AuthenticationManager authenticationManager) {
super(authenticationManager);
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
UsernamePasswordAuthenticationToken authentication = getAuthentication(request);
SecurityContextHolder.getContext().setAuthentication(authentication);
filterChain.doFilter(request, response);
}
private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
String token = String bearerToken = req.getHeader("accessToken");
String username = "test";
String password = "test"
if (username != null && !username.isEmpty()) {
return new UsernamePasswordAuthenticationToken(username, null, authorities);
}
return null;
}
}
以及您的安全性配置文件,如下所示:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilter(new ApplicationAuthFilter(authenticationManager()))
}
}
基本上,您需要阅读随请求传递的标头信息,并根据该标头信息采取措施。
希望这会有所帮助。
以上是关于实施URL身份验证的春季安全性时拒绝URL访问的主要内容,如果未能解决你的问题,请参考以下文章
使用 Spring 和 Spring 安全性访问拒绝和允许功能
将后端身份验证令牌附加到响应 URL 时是不是存在安全问题?