Spring 使用 RequestParam 时安全不断要求登录
[英]Spring Security keeps asking for login when using RequestParam
问题描述
I'm trying to build a backend part of my app and I want to use rest controllers and secure them with spring security.
我正在尝试构建我的应用程序的后端部分,我想使用 rest 控制器并使用 spring 安全性保护它们。 This is the config:这是配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().configurationSource(corsConfigurationSource()).and().csrf().
disable()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.httpBasic();
}
I also have two controllers:我也有两个控制器:
@GetMapping(path = "/testOFWork")
public AuthBean test() {
System.out.println("worked");
return new AuthBean("You are authenticated already");
}
@GetMapping(path = "/getUserInfo")
public User getInfo(@RequestParam(value = "username") String user) {
return dao.getByUserName(user);
}
The first one is working perfectly.第一个工作完美。 When I try to reach it: spring asks me to log in. I do it and it shows me a message.当我尝试访问它时:spring 要求我登录。我这样做了,它显示了一条消息。 But when I'm trying to get to the second one it just keeps asking me for a login.但是当我试图进入第二个时,它只是一直要求我登录。 And if I try to go to the first one, which worked perfectly fine it asks me to login again.如果我尝试 go 到第一个,它工作得非常好,它要求我再次登录。 Experimentally I've figured out that RequestParam causes this problem.通过实验我发现 RequestParam 导致了这个问题。 I understand that the problem may be in the configuration itself, but I can't get It.我知道问题可能出在配置本身,但我无法得到它。
Thanks for the response in advance!"感谢您提前回复!”
EDIT Here is full config class:编辑这里是完整的配置 class:
@Autowired
UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().configurationSource(corsConfigurationSource()).and().csrf().
disable()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.httpBasic();
}
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
List<String> allowOrigins = Arrays.asList("*");
configuration.setAllowedOrigins(allowOrigins);
configuration.setAllowedMethods(singletonList("*"));
configuration.setAllowedHeaders(singletonList("*"));
//in case authentication is enabled this flag MUST be set, otherwise CORS requests will fail
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
1 个解决方案
解决方案1
1 已采纳 2020-04-08 17:11:43
You are telling to your spring security to check if user is authenticated for any request in.antMatchers(HttpMethod.OPTIONS, "/**").您告诉您的 spring 安全检查用户是否已针对 .antMatchers(HttpMethod.OPTIONS, "/**") 中的任何请求进行身份验证。
EDIT编辑
Your code should look like this:您的代码应如下所示:
http.authorizeRequests()
.antMatchers("/securityNone").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic()
.authenticationEntryPoint(authenticationEntryPoint);
http.addFilterAfter(new CustomFilter(),
BasicAuthenticationFilter.class);
You need to separate the not secured access from the secured one您需要将非安全访问与安全访问分开
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.