Spring Security:在身份验证错误时回退到 formLogin
[英]Spring Security : Falls back to formLogin on authentication error
问题描述
I tried to implement a SecurityConfig similar to https://stackoverflow.com/a/33608459 and https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#multiple-httpsecurity
我尝试实现类似于https://stackoverflow.com/a/33608459和https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#multiple-httpsecurity的 SecurityConfig
I want my API ( /rest/** ) to be secured by HttpBasic, and other requests via FormLogin.我希望我的 API ( /rest/** ) 由 HttpBasic 保护,并通过 FormLogin 进行其他请求。 This works well... as long as I provide the correct credentials to HttpBasic.这很有效……只要我向 HttpBasic 提供正确的凭据。
If I provide correct credentials - it response with normal answer.如果我提供正确的凭据 - 它会以正常答案进行响应。
If I provide no credentials - it responds with a 401 Unauthorized - perfect!如果我提供任何凭证-它回应一个401 Unauthorized完美- !
If I provide wrong credentials - it responds with a 302 Found with Location: /login如果我提供了错误的凭据 - 它会响应302 Found with Location: /login
The last part is what I don't want - I also want a 401 Unauthorized on wrong credentials.最后一部分是我不想要的 - 我还想要一个401 未经授权的错误凭据。
Example Requests:示例请求:
http http://localhost:8081/rest/
HTTP/1.1 401WWW-Authenticate: Basic realm="My Realm"HTTP/1.1 401WWW-Authenticate: Basic realm="My Realm"
http -a correct:password http://localhost:8081/rest/some/api/
HTTP/1.1 200
http -a wrong:password http://localhost:8081/rest/some/api/
HTTP/1.1 302Location: http://hive.local:8081/login WWW-Authenticate: Basic realm="My Realm"HTTP/1.1 302Location: http://hive.local:8081/login WWW-Authenticate: Basic realm="My Realm"
Java configuration: Java配置:
@Configuration
@Order(1)
public static class RestSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthorizationProperties properties;
@Override protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.antMatcher("/rest/**")
.authorizeRequests()
.anyRequest().hasRole("API").and()
.httpBasic()
.realmName(properties.getRealm()).and()
.formLogin().disable()
.csrf().disable();
// @formatter:on
}
}
@Configuration
@Order(2)
public static class FrontendSecurityConfig extends WebSecurityConfigurerAdapter {
@Override public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/app/**", "/webjars/**", "/static/**", "/js/**");
}
@Override protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.anyRequest().hasAnyRole("USER").and()
.formLogin();
// @formatter:on
}
}
1 个解决方案
解决方案1
0 2021-05-17 13:29:41
I was able to bring some light into this.我能够对此有所了解。
The redirect to form login after a failed basic auth request is cause by the dispatcher servlet trying to redirect to the URL /error after failing to validate the credentials.在基本身份验证请求失败后重定向到表单登录是由调度程序 servlet 在验证凭据失败后尝试重定向到 URL /error引起的。
To get the appropriate error response you need to add /error to the antMatchers that are ignored in your web security config.要获得适当的错误响应,您需要将/error添加到在您的网络安全配置中被忽略的antMatchers 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.