[英]Spring Security, Rest Authentication and CSRF
I would like use authentication with my application. 我想在我的应用程序中使用身份验证。 I hava a Spring MVC app and Spring Security applied.
我有一个Spring MVC应用程序和Spring Security应用程序。 Against browser, it is working fine.
对浏览器,它工作正常。 It means, I authenticate a user to my app and use web page.
这意味着,我向我的应用程序验证用户并使用网页。
Now, I want to use rest. 现在,我想用休息。 I added on my unsecure controller method @ResponseBody and I receive response in json.
我添加了不安全的控制器方法@ResponseBody,我在json中收到响应。 But how to connect to my application with user and password with RestTemplate ?
但是如何使用RestTemplate用户和密码连接到我的应用程序?
My code in RestClient is (for test) : 我在RestClient中的代码是(用于测试):
public void unsecureProfileTest() {
String url = articleServiceUrl + "unsecure/profile/test.json";
url = articleServiceUrl + "secure/profile/wiew.json";
HttpEntity<Object> entity = new HttpEntity<Object>(getHeaders("user:userpassword"));
Object s = restTemplate.exchange(url, HttpMethod.GET, entity, Object.class);
}
static HttpHeaders getHeaders(String auth) {
HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_JSON);
headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON,
MediaType.TEXT_HTML));
byte[] encodedAuthorisation = Base64.encode(auth.getBytes());
headers.add("Authorization", "Basic "
+ new String(encodedAuthorisation));
return headers;
}
My SecurityConfig : 我的安全配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().antMatchers("/*").permitAll().and()
.formLogin().successHandler(successHandler)
.defaultSuccessUrl("/").failureHandler(failureHandler)
.failureUrl("/login?error=true").permitAll().and().logout()
.permitAll();
http.authorizeRequests().antMatchers("/resources/**").permitAll();
http.authorizeRequests().antMatchers("/welcome").permitAll();
http.authorizeRequests().antMatchers("/unsecure/**").permitAll();
http.authorizeRequests().antMatchers("/secure/*").authenticated();
http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated();
}
The result is : Access is denied. 结果是:访问被拒绝。 I guess the problem comming from authentication from restTemplate but how can I authenticate ?
我想问题来自restTemplate的身份验证,但我如何进行身份验证?
My second question is regarding csrf who is disabled but I want to enable it (my forms use it) 我的第二个问题是关于csrf谁被禁用但我想启用它(我的表单使用它)
I'm using Spring 4.0 and Spring Security 3.2 我正在使用Spring 4.0和Spring Security 3.2
EDIT I updated my code with 编辑我更新了我的代码
String url = articleServiceUrl + "unsecure/profile/test.json";
url = articleServiceUrl + "secure/profile/wiew.json";
HttpEntity<Object> entity = new HttpEntity<Object>(getHeaders("{user:userpassword, password:userpassword}"));
Object s = restTemplate.exchange(url, HttpMethod.GET, entity, Object.class);
I receive a code 302
我收到一个代码
302
EDIT 18022014 - 16:46 I updated to 编辑18022014 - 16:46我更新到
String url = articleServiceUrl + "login?username=user&password=userpassword";
HttpEntity entity restTemplate;exchange(url, HTTPMethod.POST,null, HttpEntity.class)
system.out.println(entity);
In log of web server, I received a success message (see userdetails on "user"). 在Web服务器的日志中,我收到了一条成功消息(请参阅“user”的userdetails)。
Now, I would like use authentication to access to other url ("secure/profile/view.json") 现在,我想使用身份验证来访问其他URL(“secure / profile / view.json”)
How to keep authentication ? 如何保持身份验证?
Thank you 谢谢
I have been playing with spring security and spring boot REST application and I created my own MapCsrfTokenRepository that I used instead of default HttpSessionCsrfTokenRepository . 我一直在玩spring security和spring boot REST应用程序,我创建了自己的MapCsrfTokenRepository ,而不是默认的HttpSessionCsrfTokenRepository 。
Then you can enable csrf for your rest URIs with 然后,您可以为其余的URI启用csrf
http.csrf().csrfTokenRepository(tokenRepository)
The main idea is to return new CSRF_TOKEN when client access /login resource with GET , because no csrf token is needed for GET. 主要思想是在使用GET的客户端访问/登录资源时返回新的CSRF_TOKEN,因为GET不需要csrf令牌。 And then client has to use this token in next calls.
然后客户端必须在下次调用中使用此令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.