使用Spring Boot的BasicAuth

Question

在我的設置中，我有一個上游系統將Http請求發送到我的系統。 這些Http請求的標頭中包含basicAuth令牌。

我正在使用Spring-boot和外部tomcat。

如何配置我的應用程序以檢查用戶名/密碼是否正確，然后按照正常流程進行操作，否則在日志中打印異常？

在我的應用程序中沒有UI，因此我不想顯示任何登錄頁面/錯誤頁面。 我在這里找到的示例都是基於UI的，這不是我的要求。

另外，如果該解決方案需要配置tomcat（如本示例中所示） ，那么在使用Springboot時，如何在沒有web.xml的情況下進行配置。

Answer 1

如果使用Tomcat基本身份驗證，則您的應用程序將綁定到Tomcat Web容器。

我認為由於您的應用程序基於Spring Boot，因此您可以在其中使用Spring Security並啟用Basic Authentication。

按照這篇文章作者顯示如何使用Spring Security進行安全保護。

Answer 2

OAUTH2服務器配置

        import org.springframework.beans.factory.annotation.Autowired;
        import org.springframework.context.annotation.Configuration;
        import org.springframework.security.authentication.AuthenticationManager;
        import org.springframework.security.config.annotation.web.builders.HttpSecurity;
        import org.springframework.security.config.http.SessionCreationPolicy;
        import org.springframework.security.core.userdetails.UserDetailsService;
        import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
        import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
        import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
        import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
        import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
        import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
        import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
        import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;

     public class AuthserverApplication extends WebMvcConfigurerAdapter {
                @Configuration
                @EnableResourceServer
                protected static class ResourceServer extends ResourceServerConfigurerAdapter {
                    @Override
                    public void configure(HttpSecurity http) throws Exception {

                        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                        .and()
                              .requestMatchers().antMatchers("/user/**","/api/v1/user")
                        .and()
                           .authorizeRequests()
                               .antMatchers("/user/**").authenticated()
                               .antMatchers("/api/v1/user").permitAll();


                    }

                    @Override
                    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
                        resources.resourceId("sparklr").stateless(false);
                    }
                }

                @Configuration
                @EnableAuthorizationServer
                protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
                    @Autowired
                    private AuthenticationManager authenticationManager;
                    @Autowired
                    private UserDetailsService userDetailsService;

                    @Override
                    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
                        endpoints.authenticationManager(authenticationManager).userDetailsService(userDetailsService);
                    }

                    @Override
                    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
                        clients.inMemory().withClient("act_client").authorizedGrantTypes("password", "refresh_token").scopes("read",
                                "write", "trust");
                    }
                }
            }

UserDetailsS​​ervice實施

import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import com.flasher.entity.AuthorityM;
import com.flasher.entity.User;
import com.flasher.repository.UserRepository;
import java.util.HashSet;
import java.util.Set;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

@Service
public class UserDetailsInfo implements UserDetailsService {

    @Autowired
    UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
        User user = userRepository.findByUsername(userName);
        Set<AuthorityM> authorityMs = user.getAuthorityMs();
        Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
        authorityMs.stream().forEach(authorityM -> {
            authorities.add(new SimpleGrantedAuthority(authorityM.getRole()));
        });
        return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(),
                authorities);

    }

}

實現“ org.springframework.security.core.userdetails.UserDetailsS​​ervice”以初始化並返回“ org.springframework.security.core.userdetails.User”實例以通過OAUTH服務器進行身份驗證