Spring boot + Spring Security:如何壓制基本的auth表單
[英]Spring boot + Spring Security: how to suppress the basic auth form
問題描述
美好的一天。
我在Spring啟動自動配置應用程序的上下文中使用Spring安全性。 我的目標是設置基本身份驗證,以便標准瀏覽器的基本身份驗證表單不會顯示在401上。從Google我發現要實現它,我需要將默認的“WWW-Authenticate”標題更改為不同於“基本xxxxx“。
為此,我宣布了一個過濾器:
@Bean
@Order(Integer.MAX_VALUE)
public Filter customAuthFilter() {
return new Filter() {
@Override
public void init(FilterConfig fc) throws ServletException {
}
@Override
public void doFilter(ServletRequest sreq, ServletResponse sresp, FilterChain fc) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) sreq;
HttpServletResponse resp = (HttpServletResponse) sresp;
fc.doFilter(req, resp);
log.info("filter");
log.info("status " + resp.getStatus());
if(resp.getStatus() == 401) {
resp.setHeader("WWW-Authenticate", "Client-driven");
}
}
@Override
public void destroy() {
}
};
從日志中我看到我的過濾器已成功識別應用程序並參與處理響應(我看到來自doFilter的日志消息)。 但是,瀏覽器收到的實際響應仍然包含標准的“WWW-Authenticate”標題。 似乎有人凌挑我的標題,我不知道究竟是誰。
有人可以給個建議嗎?
3 個解決方案
解決方案1
7 已采納 2014-10-10 20:43:07
使用自定義EntryPoint解決了這個問題:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/rest/**").authenticated()
.and().httpBasic().authenticationEntryPoint(new AuthenticationEntryPoint() {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
String requestedBy = request.getHeader("X-Requested-By");
log.info("X-Requested-By: " + requestedBy);
if(requestedBy == null || requestedBy.isEmpty()) {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.addHeader("WWW-Authenticate", "Basic realm=Cascade Realm");
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
} else {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.addHeader("WWW-Authenticate", "Application driven");
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
}
}
});
}
解決方案2
1 2014-10-05 16:42:29
Spring Security過濾器也將添加最低優先級,因此它可能位於您的上游。 您可以嘗試降低訂單。 處理401響應的傳統方法是使用AuthenticationFailureHandler但我想我可以理解為什么你可以這樣做,因為基本的auth已經存在。
解決方案3
0 2017-09-21 02:15:04
只需在請求標頭中添加“X-Requested-With:XMLHttpRequest”(在Spring Security 4.2.2.RELEASE中測試)。
有關詳細信息,HttpBasicConfigurer值得查找。
以下是使用CURL的測試結果:
hanxideMacBook-Pro:~ hanxi$ curl -u "13980547109:xxx" -v -d "" -H "X-Requested-With: XMLHttpRequest" http://sales.huoxingy.com/api/v1/sales/login
* Trying 101.37.135.20...
* TCP_NODELAY set
* Connected to sales.huoxingy.com (101.37.135.20) port 80 (#0)
* Server auth using Basic with user '13980547109'
> POST /api/v1/sales/login HTTP/1.1
> Host: sales.huoxingy.com
> Authorization: Basic MTM5ODA1NDcxMDk6MTIzNDU2
> User-Agent: curl/7.54.0
> Accept: */*
> X-Requested-With: XMLHttpRequest
> Content-Length: 0
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200
< Server: nginx/1.12.1
< Date: Thu, 21 Sep 2017 01:43:13 GMT
< Content-Length: 0
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< X-XSS-Protection: ; mode=block
< x-auth-token: 2f595113-cdba-4394-8ca0-bcd72239bea5
< Set-Cookie: CONTAINERID=efc390abdb189a10c55e0672b07cfe1c7d665be4db9ad40e122475e5cdff605d; path=/
如何在沒有HTTP標簽的情況下在Spring Security中設置基本身份驗證?
[英]How to set up basic auth in spring security without the HTTP tag?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.