Basic Auth不适用于多个配置

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Basic Auth不适用于多个配置相关的知识,希望对你有一定的参考价值。

我正在尝试为已经配置了一些安全策略的应用程序中的一个特定路径设置基本身份验证。我正在使用Spring Boot 2.0

这是我的配置:

@Configuration
@EnableWebSecurity
class SecurityConfig {

    @Configuration
    @Order(1)
    inner class TokenWebSecurityConfig : WebSecurityConfigurerAdapter() {

        override fun configure(http: HttpSecurity) {
            http.antMatcher("/token")
                .authorizeRequests()
                .antMatchers(HttpMethod.POST, "/token").permitAll()
                .anyRequest().denyAll()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .csrf().disable()
        }
    }

    @Configuration
    @Order(2)
    inner class SignUpWebSecurityConfig(private val signUpBasicAuthConfig: SignUpBasicAuthConfig) :
        WebSecurityConfigurerAdapter() {

        override fun configure(http: HttpSecurity) {
            http
                .antMatcher("/signup")
                .csrf()
                .disable()
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .httpBasic()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        }

        override fun configure(auth: AuthenticationManagerBuilder) {
            auth.inMemoryAuthentication()
                .withUser(signUpBasicAuthConfig.username)
                .password(signUpBasicAuthConfig.password)
                .roles("USER")
        }
    }

    @Configuration
    @Order(3)
    inner class ApiWebSecurityConfig(private val service: TokenAuthenticationUserDetailsService) :
        WebSecurityConfigurerAdapter() {

        override fun configure(http: HttpSecurity) {
            http
                .antMatcher("/api/**")
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .addFilterBefore(authFilter(), RequestHeaderAuthenticationFilter::class.java)
                .authenticationProvider(preAuthProvider())
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .csrf().disable()
        }

        @Bean
        fun authFilter(): TokenAuthenticationFilter = TokenAuthenticationFilter()

        @Bean
        fun preAuthProvider(): AuthenticationProvider =
            PreAuthenticatedAuthenticationProvider().apply { setPreAuthenticatedUserDetailsService(service) }
    }

    @Configuration
    @Order(4)
    inner class HealthWebSecurityConfig : WebSecurityConfigurerAdapter() {

        override fun configure(http: HttpSecurity) {
            http.authorizeRequests().antMatchers(HttpMethod.GET, "/health").permitAll()
        }
    }

    @Configuration
    class AuthenticationManagerProvider : WebSecurityConfigurerAdapter() {

        @Bean
        override fun authenticationManagerBean(): AuthenticationManager = super.authenticationManagerBean()
    }
}

@Order(2)配置总是失败。日志:

14:23:00.318 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/signup'; against '/token'
14:23:00.319 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/signup'; against '/signup'
14:23:00.320 [http-nio-8080-exec-1] DEBUG o.s.security.web.FilterChainProxy - /signup at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
14:23:00.321 [http-nio-8080-exec-1] DEBUG o.s.security.web.FilterChainProxy - /signup at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
14:23:00.322 [http-nio-8080-exec-1] DEBUG o.s.security.web.FilterChainProxy - /signup at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
14:23:00.324 [http-nio-8080-exec-1] DEBUG o.s.security.web.FilterChainProxy - /signup at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
14:23:00.324 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
14:23:00.324 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'POST /signup' doesn't match 'GET /logout
14:23:00.324 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
14:23:00.324 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/signup'; against '/logout'
14:23:00.324 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
14:23:00.325 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'POST /signup' doesn't match 'PUT /logout
14:23:00.325 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
14:23:00.325 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'POST /signup' doesn't match 'DELETE /logout
14:23:00.325 [http-nio-8080-exec-1] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
14:23:00.325 [http-nio-8080-exec-1] DEBUG o.s.security.web.FilterChainProxy - /signup at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
14:23:00.325 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.w.BasicAuthenticationFilter - Basic Authentication Authorization header found for user 'username'
14:23:00.327 [http-nio-8080-exec-1] DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
14:23:00.473 [http-nio-8080-exec-1] WARN  o.s.s.c.bcrypt.BCryptPasswordEncoder - Encoded password does not look like BCrypt
14:23:00.473 [http-nio-8080-exec-1] DEBUG o.s.s.a.d.DaoAuthenticationProvider - Authentication failed: password does not match stored value
14:23:00.474 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.w.BasicAuthenticationFilter - Authentication request for failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
14:23:00.474 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
14:23:00.474 [http-nio-8080-exec-1] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@44d29834

在我看来,由于某种原因,内存AuthenticationManager没有使用。任何的想法?

答案

我遇到了类似的问题,因为从2.0版开始,密码需要有一个前缀来指示它们是如何加密的。例如,bcrypt密码看起来像这样:

{bcrypt}2187jbfsafsd

如果这不能立即起作用,我还做了一些编辑,使其在我的应用程序中工作:

我首先创建了一个Passwordencoder bean并将其粘贴到securityconfig中:

@Bean
public static PasswordEncoder passwordEncoder() {
   return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}

然后我修改了DaoAuthenticationProvider(也在securityconfig中):

@Bean
public DaoAuthenticationProvider authenticationProvider() {
    final DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
    authProvider.setUserDetailsService(userDetailsService);
    authProvider.setPasswordEncoder(passwordEncoder);
    return authProvider;
}

最后我将编码器自动装入securityconfig:

@Autowired
private PasswordEncoder passwordEncoder;

我希望这可以帮助你

另一答案

我认为你的问题与拥有多个WebSecurityConfigurerAdapter实例并期望它们都被使用有关,据我所知Spring只会使用一个。这已经在这里进一步讨论:Using multiple WebSecurityConfigurerAdapter in spring boot

My preferred solution是定义一个特殊的接口

public interface ServiceWebSecurityConfigurer {
    void configure(HttpSecurity http) throws Exception;
}

然后只有一个ConfigurerAdapter:

public class MyConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Autowired(required = false)
    List<ServiceWebSecurityConfigurer> securityConfigurers;

    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests(). // whatever

        for (ServiceWebSecurityConfigurer serviceSecConfig: securityConfigurers)
            serviceSecConfig.configure(http);

        http.authorizeRequests(). // whatever
    }
}

以上是关于Basic Auth不适用于多个配置的主要内容,如果未能解决你的问题,请参考以下文章

主题不适用于片段

“ES7 React/Redux/GraphQL/React-Native 片段”不适用于 javascript 文件。除了安装它,我还需要配置其他东西吗?

Facebook状态回调不适用于片段

nginx配置指令auth_basic、auth_basic_user_file及相关知识

配置 nginx 的 basic auth 验证

nginx 添加basic auth