[英]Basic authentication doesn't work in Spring-Boot WS Soap service
我有 Spring WS 的 SOAP 模拟服务。 我正在尝试添加基本的 http 身份验证。 我使用网络服务的这个配置:
@EnableWs
@Configuration
public class WebServiceConfig extends WsConfigurerAdapter {
@Bean
public ServletRegistrationBean messageDispatcherServlet(ApplicationContext applicationContext) {
MessageDispatcherServlet servlet = new MessageDispatcherServlet();
servlet.setApplicationContext(applicationContext);
return new ServletRegistrationBean(servlet);
}
@Bean(name = "cards")
public Wsdl11Definition wsdlDefinition() {
SimpleWsdl11Definition wsdl11Definition = new SimpleWsdl11Definition();
wsdl11Definition.setWsdl(new ClassPathResource("cards.wsdl"));
return wsdl11Definition;
}
}
以及 spring-security 的这个配置:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests().anyRequest().authenticated()
.and().httpBasic()
.and().authorizeRequests().antMatchers("*.wsdl").permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
但是当我运行 spring-boot 并向服务发送请求时,即使没有身份验证,它也会返回响应。 我配置错了什么?
upd:另外,如果我运行 spring-boot 并对配置进行以下更改:
//@EnableWs
@Configuration
public class WebServiceConfig extends WsConfigurerAdapter {
//@Bean
//public ServletRegistrationBean messageDispatcherServlet(ApplicationContext applicationContext) {
// MessageDispatcherServlet servlet = new MessageDispatcherServlet();
// servlet.setApplicationContext(applicationContext);
// return new ServletRegistrationBean(servlet);
//}
@Bean(name = "cards")
public Wsdl11Definition wsdlDefinition() {
SimpleWsdl11Definition wsdl11Definition = new SimpleWsdl11Definition();
wsdl11Definition.setWsdl(new ClassPathResource("cards.wsdl"));
return wsdl11Definition;
}
}
它工作正常(需要对请求进行身份验证)但 url 映射更改为 [/services/*] 这对我来说不是所需的映射。 抱歉,我是 Spring 的新手。
尝试,
正如@denium 指出的顺序问题
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.antMatchers("*.wsdl").permitAll()
.anyRequest().authenticated().hasRole("USER")
.and().httpBasic();
}
我刚刚遇到了同样的问题,这是我的解决方案。 您代码中的 permitAll() 应用于已通过身份验证的用户,您需要使用方法 configure(WebSecurity web) 将 URL 添加到忽略列表。 而且我认为过滤“*.wsdl”还不够,我使用了“/**/*.wsdl”
有我的工作 WebSecurityConfig 类
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//Enforce basic auth
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.httpBasic()
.and().authorizeRequests().anyRequest().authenticated();
}
//Ignore basic auth for WSDL URL
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/**/*.wsdl");
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
//TODO - do parametru
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
只需将此代码复制粘贴到您的“WebServiceConfig”类
@Bean
public SimplePasswordValidationCallbackHandler securityCallbackHandler() {
SimplePasswordValidationCallbackHandler callbackHandler = new SimplePasswordValidationCallbackHandler();
Properties users = new Properties();
users.setProperty("AAA", "BBB");
callbackHandler.setUsers(users);
return callbackHandler;
}
@Bean
public Wss4jSecurityInterceptor securityInterceptor() {
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
securityInterceptor.setValidationActions("UsernameToken");
securityInterceptor.setSecurementMustUnderstand(true);
securityInterceptor.setSecurementUsername("setusername");
securityInterceptor.setSecurementPassword("setpassword");
securityInterceptor.setValidationCallbackHandler(securityCallbackHandler());
return securityInterceptor;
}
@Override
public void addInterceptors(List interceptors) {
interceptors.add(securityInterceptor());
}
我遇到了一些问题。 我将 ServletRegistrationBean 更改为自定义 url。
new ServletRegistrationBean(servlet, "/cusom_url_mapping/*");
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.