stackoom
  简体   繁体   中英

Spring: BasicHttp doesn't work with jdbcAuthentication when hitting requests from Postman

 原文  2016-10-18 13:49:15       java/ spring/ spring-security/ postman

Question

I am trying to implement jdbcAuthentication in my project. The problem is that it works when I make requests from browser but when I make requests from Postman it doesn't work, I mean authentication doesn't happen and even random credentials work.

However if I use inMemoryAuthentication it works fine for both browser and Postman. This is my code inside SecurityConfig . 

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

        auth.jdbcAuthentication().dataSource(dataSource).usersByUsernameQuery("select username,password, enabled from users where username=?")
        .authoritiesByUsernameQuery("select username, role from user_roles where username=?");    

   // This works -->    auth.inMemoryAuthentication().withUser("user").password("pass").roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.authorizeRequests().anyRequest().authenticated().and().httpBasic().and().csrf().disable();
    }

In postman I make a POST request.

In Authorization type I select basic auth and enter the credentials which are then populated in the Authorization header below

These are the headers 

Content-Type:application/json
X-XSRF-TOKEN:{{X-CSRF-TOKEN}}
Authorization:Basic ajhsjajywshhshshsssss

If I comment the jdbcAUthentication part and uncomment the inMomeryAuthentication code, authentication works from both broswer and postman. Can someone please help me, why is this happening? Am I missing something? Thanks !!

1 answers

solution1
 0  2016-10-18 14:57:12

You are using .authenticated() , this means the user is already authenticated and you want to allow users that are already authenticated (aka "remembered"). 

http.authorizeRequests().anyRequest()
    .authenticated().and().httpBasic().and().csrf().disable();

But actually, what you want to do is to authenticate for first time, so for this you need to change it to fullyAuthenticated 

http.authorizeRequests()
            .anyRequest().fullyAuthenticated()
            .and().httpBasic()
            .and().csrf().disable();

If you check the AuthorizedUrl documentation you will find:

authenticated() : Specify that URLs are allowed by any authenticated user.

fullyAuthenticated() : Specify that URLs are allowed by users who have authenticated and were not "remembered".

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question jdbcAuthentication() instead of inMemoryAuthentication() doesn't give access - Spring Security and Spring Data JPA Spring Security Login not working when using jdbcAuthentication Code generated from Postman doesn't work properly in Android project Spring Security JWT - Postman authentication through Authorization header works but from my Angular front end doesn't work Spring security, jdbcAuthentication Spring basePackageClasses from @ControllerAdvice doesn't work Spring @Transactional doesn't work for an annotated method when called from within service class @Afterreturning advice from Spring AOP doesn't work when I bind returning result to it Spring webflux - file upload doesnt work it throws error when i hit it from postman Spring-MVC doesn't work when add mvc namespace
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM