在Spring Boot中使用自签名https无法验证Postman的POST / GET请求方法

Question

I'm making a rest endpoint in my spring boot application and can't get my:

@RequestMapping(method = RequestMethod.POST) 

or:

@RequestMapping(value = "/test", method = RequestMethod.GET)

To run from postman. Here is the security-config file:

@Override
public void configure(HttpSecurity httpSecurity) throws Exception{
    System.out.println("configure method entered");
    httpSecurity.requiresChannel()
            .antMatchers("/test").requiresSecure()
            .and()
            .authorizeRequests()
            .anyRequest()
            .authenticated();
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    System.out.println("global configurer entered");
    auth.inMemoryAuthentication()
            .withUser(******).password(*****).roles("USER")
            .and()
            .withUser(******).password(*****).roles("USER", "ADMIN");
}

Without the self-signed certificate we implemented and no authorization, the POST method in postman has been working fine. I can't figure out how the authorization is preventing my POST method from running. I have already entered the correct user credentials in basic auth, under authorization in postman. Current header output:

Cache-Control →no-cache, no-store, max-age=0, must-revalidate
Content-Length →0
Date →Tue, 23 May 2017 10:40:31 GMT
Expires →0
Pragma →no-cache
Strict-Transport-Security →max-age=31536000 ; includeSubDomains
X-Content-Type-Options →nosniff
X-Frame-Options →DENY
X-XSS-Protection →1; mode=block

There must be something wrong with my configure method since if I provide incorrect password it should not return a 404, but it still does. When executing the application i get the following output in the console:

2017-05-23 14:05:19.460  INFO 6984 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/test],methods=[GET]}" onto public java.lang.String executor.rr.test.text()

This is just for test purposes to check if the rest endpoint responds. Here is the code:

@RestController
public class test {
    @RequestMapping(value = "/test", method = RequestMethod.GET)
    @ResponseBody
    public String text(){
        return "test test";
    }
}

I also updated my configure method to work with https, and i am trying with the following url:

https://localhost:5434/test

Running the POST method from postman, gives the following IDE console output:

2017-05-23 20:01:48.289  INFO 18843 --- [nio-5434-exec-7] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring FrameworkServlet 'dispatcherServlet'
2017-05-23 20:01:48.289  INFO 18843 --- [nio-5434-exec-7] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization started
2017-05-23 20:01:48.307  INFO 18843 --- [nio-5434-exec-7] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization completed in 18 ms

Following this post i added the:

@ComponentScan(basePackages={"package name of where the controller is"})

This restored my security to default and the console printed a one time password. Trying this in postman returned a 401(unauthorized) when i wrote the wrong password, but still 404 when the credentials where correct. This post had a similar issue, but non of them helped.

Here is my project structure for mye application classes and rest classes:

---------------------------------UPDATE-----------------------------------------

So i narrowed the issue down to the authentication. Somewhere in the securityConfig file, either the global or other configure mode is somehow giving the 404 status.

Is the inMemoryAuthentication different from the basic authentication in postman? Or is the httpSecurity methods wrong somehow?

When i remove the entire securityConfig class, spring generates a default password which works fine and i get the desired output from running POST.

Answer 1

Try following:

1. Goto Authorization tab in postman.

2. Select basic auth

3. Enter username and password.

4. Hit post with correct url.

Answer 2

@Configuration
public class AuthenticationConfiguration extends GlobalAuthenticationConfigurerAdapter {

    // overides deafult password, here you can add additional users
    @Override
    public void init(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("*******").password("******").roles("USER")
                .and()
                .withUser("*****").password("*****").roles("USER", "ADMIN");
        System.out.println("global configurer finished");
    }
}

By removing the securityConfig class, and replacing it whit this, the authentication worked fine.

The test class was only for test purposes and ResoucreNotFoundException was not necessary either.

Answer 3

If you are getting 404 (Resource not found), at that point the SSL handshake already happened, shouldn't matter if self-signed or not. And if authentication / authorization fails, you should be getting 401 or 403.

Are you sure you have a mapping for @RequestMapping(value = "/test", method = RequestMethod.POST) ?

Seems the controller you shared only maps to /test - RequestMethod.GET