Spring Security Baisc身份验证仅验证第一个请求
[英]Spring security baisc authentication only validating first request
问题描述
I'm using spring basic authentication with a custom authentication provider: 
我正在使用带有自定义身份验证提供程序的spring基本身份验证:
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthenticationProvider authProvider;
@Override
protected void configure(
AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated()
.and()
.httpBasic();
}
And 和
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String name = authentication.getName();
String password = authentication.getCredentials().toString();
if (customauth()) { // use the credentials
// and authenticate against the third-party system
{
return new UsernamePasswordAuthenticationToken(
name, password, new ArrayList<>());
}
} else {
return null;
}
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(
UsernamePasswordAuthenticationToken.class
);
}
To test this I'm using postman with the following tests: 为了测试这一点,我使用邮递员进行以下测试:
invalid credentials -> 401 unauthorized 无效的凭证-> 401未经授权
correct credentials -> 200 OK 正确的凭据-> 200 OK
invalid credentials -> 200 OK 无效的凭证-> 200 OK
My problem is that the last request should return 401 unauthorized and every following request after a successful login is 200 OK even with a wrong token and without token. 我的问题是最后一个请求应该返回401未经授权,并且成功登录后的每个后续请求都是200 OK,即使使用了错误的令牌也没有令牌。
Thanks in advance. 提前致谢。
2 个解决方案
解决方案1
1 2018-07-18 12:41:23
When you logged in successfully, Spring Security will create an Authentication object and will put it in SecurityContext in your HTTP session. 成功登录后,Spring Security将创建一个Authentication对象,并将其放在HTTP会话的SecurityContext中。 As far as you have a valid session with a valid Authentication object at the server, Spring Security won't authenticate your request again and will use the Authentication object saved in your session. 只要服务器上有一个带有有效Authentication对象的有效会话,Spring Security便不会再次对您的请求进行身份验证,而将使用会话中保存的Authentication对象。
解决方案2
0 2018-07-19 08:13:17
This is a Spring Security feature, see SEC-53 : 这是Spring Security的功能,请参阅SEC-53 :
Check the SecurityContextHolder for an authenticated Authentication and reuse it in that case, do not call the authentication manager again.
If you like to reauthenticate, you could 如果您想重新认证,可以
- use no session at all 完全不使用会话
- logout before reauthenticate 在重新认证之前注销
In both cases Spring Security will not find an authenticated user saved in the session and will use the new username and password for authentication. 在这两种情况下,Spring Security都不会在会话中找到经过身份验证的用户,并将使用新的用户名和密码进行身份验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.