[英]Spring boot + Spring Security: how to suppress the basic auth form
美好的一天。
我在Spring启动自动配置应用程序的上下文中使用Spring安全性。 我的目标是设置基本身份验证,以便标准浏览器的基本身份验证表单不会显示在401上。从Google我发现要实现它,我需要将默认的“WWW-Authenticate”标题更改为不同于“基本xxxxx“。
为此,我宣布了一个过滤器:
@Bean
@Order(Integer.MAX_VALUE)
public Filter customAuthFilter() {
return new Filter() {
@Override
public void init(FilterConfig fc) throws ServletException {
}
@Override
public void doFilter(ServletRequest sreq, ServletResponse sresp, FilterChain fc) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) sreq;
HttpServletResponse resp = (HttpServletResponse) sresp;
fc.doFilter(req, resp);
log.info("filter");
log.info("status " + resp.getStatus());
if(resp.getStatus() == 401) {
resp.setHeader("WWW-Authenticate", "Client-driven");
}
}
@Override
public void destroy() {
}
};
从日志中我看到我的过滤器已成功识别应用程序并参与处理响应(我看到来自doFilter的日志消息)。 但是,浏览器收到的实际响应仍然包含标准的“WWW-Authenticate”标题。 似乎有人凌挑我的标题,我不知道究竟是谁。
有人可以给个建议吗?
使用自定义EntryPoint解决了这个问题:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/rest/**").authenticated()
.and().httpBasic().authenticationEntryPoint(new AuthenticationEntryPoint() {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
String requestedBy = request.getHeader("X-Requested-By");
log.info("X-Requested-By: " + requestedBy);
if(requestedBy == null || requestedBy.isEmpty()) {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.addHeader("WWW-Authenticate", "Basic realm=Cascade Realm");
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
} else {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.addHeader("WWW-Authenticate", "Application driven");
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
}
}
});
}
Spring Security过滤器也将添加最低优先级,因此它可能位于您的上游。 您可以尝试降低订单。 处理401响应的传统方法是使用AuthenticationFailureHandler
但我想我可以理解为什么你可以这样做,因为基本的auth已经存在。
只需在请求标头中添加“X-Requested-With:XMLHttpRequest”(在Spring Security 4.2.2.RELEASE中测试)。
有关详细信息,HttpBasicConfigurer值得查找。
以下是使用CURL的测试结果:
hanxideMacBook-Pro:~ hanxi$ curl -u "13980547109:xxx" -v -d "" -H "X-Requested-With: XMLHttpRequest" http://sales.huoxingy.com/api/v1/sales/login
* Trying 101.37.135.20...
* TCP_NODELAY set
* Connected to sales.huoxingy.com (101.37.135.20) port 80 (#0)
* Server auth using Basic with user '13980547109'
> POST /api/v1/sales/login HTTP/1.1
> Host: sales.huoxingy.com
> Authorization: Basic MTM5ODA1NDcxMDk6MTIzNDU2
> User-Agent: curl/7.54.0
> Accept: */*
> X-Requested-With: XMLHttpRequest
> Content-Length: 0
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200
< Server: nginx/1.12.1
< Date: Thu, 21 Sep 2017 01:43:13 GMT
< Content-Length: 0
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< X-XSS-Protection: ; mode=block
< x-auth-token: 2f595113-cdba-4394-8ca0-bcd72239bea5
< Set-Cookie: CONTAINERID=efc390abdb189a10c55e0672b07cfe1c7d665be4db9ad40e122475e5cdff605d; path=/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.