英文:
Spring Security keeps asking for login when using RequestParam
问题
这是配置代码部分:
@Overrideprotected void configure(HttpSecurity http) throws Exception {http.cors().configurationSource(corsConfigurationSource()).and().csrf().disable().authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll().anyRequest().authenticated().and().httpBasic();}
这是第一个控制器:
@GetMapping(path = "/testOFWork")public AuthBean test() {System.out.println("worked");return new AuthBean("You are authenticated already");}
这是第二个控制器:
@GetMapping(path = "/getUserInfo")public User getInfo(@RequestParam(value = "username") String user) {return dao.getByUserName(user);}
这是完整的配置类:
@AutowiredUserDetailsService userDetailsService;@Overrideprotected void configure(HttpSecurity http) throws Exception {http.cors().configurationSource(corsConfigurationSource()).and().csrf().disable().authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll().anyRequest().authenticated().and().httpBasic();}CorsConfigurationSource corsConfigurationSource() {CorsConfiguration configuration = new CorsConfiguration();List<String> allowOrigins = Arrays.asList("*");configuration.setAllowedOrigins(allowOrigins);configuration.setAllowedMethods(singletonList("*"));configuration.setAllowedHeaders(singletonList("*"));//in case authentication is enabled this flag MUST be set, otherwise CORS requests will failconfiguration.setAllowCredentials(true);UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();source.registerCorsConfiguration("/**", configuration);return source;}@Autowiredpublic void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());}
如果还有其他需要的翻译,请告诉我。
英文:
I'm trying to build a backend part of my app and I want to use rest controllers and secure them with spring security.
This is the config:
@Overrideprotected void configure(HttpSecurity http) throws Exception {http.cors().configurationSource(corsConfigurationSource()).and().csrf().disable().authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll().anyRequest().authenticated().and().httpBasic();}
I also have two controllers:
@GetMapping(path = "/testOFWork")public AuthBean test() {System.out.println("worked");return new AuthBean("You are authenticated already");}@GetMapping(path = "/getUserInfo")public User getInfo(@RequestParam(value = "username") String user) {return dao.getByUserName(user);}
The first one is working perfectly. When I try to reach it: spring asks me to log in. I do it and it shows me a message.
But when I'm trying to get to the second one it just keeps asking me for a login. And if I try to go to the first one, which worked perfectly fine it asks me to login again.
Experimentally I've figured out that RequestParam causes this problem.
I understand that the problem may be in the configuration itself, but I can't get It.
Thanks for the response in advance!"
EDIT
Here is full config class:
@AutowiredUserDetailsService userDetailsService;@Overrideprotected void configure(HttpSecurity http) throws Exception {http.cors().configurationSource(corsConfigurationSource()).and().csrf().disable().authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll().anyRequest().authenticated().and().httpBasic();}CorsConfigurationSource corsConfigurationSource() {CorsConfiguration configuration = new CorsConfiguration();List<String> allowOrigins = Arrays.asList("*");configuration.setAllowedOrigins(allowOrigins);configuration.setAllowedMethods(singletonList("*"));configuration.setAllowedHeaders(singletonList("*"));//in case authentication is enabled this flag MUST be set, otherwise CORS requests will failconfiguration.setAllowCredentials(true);UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();source.registerCorsConfiguration("/**", configuration);return source;}@Autowiredpublic void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());}
答案1
得分: 1
你正在告诉你的 Spring Security,在任何请求中检查用户是否已通过身份验证,使用以下代码段:
EDIT
你的代码应该如下所示:
http.authorizeRequests().antMatchers("/securityNone").permitAll().anyRequest().authenticated().and().httpBasic().authenticationEntryPoint(authenticationEntryPoint);http.addFilterAfter(new CustomFilter(),BasicAuthenticationFilter.class);
你需要将未受保护的访问与受保护的访问分开。
英文:
You are telling to your spring security to check if user is authenticated for any request in .antMatchers(HttpMethod.OPTIONS, "/**").
EDIT
Your code should look like this:
http.authorizeRequests().antMatchers("/securityNone").permitAll().anyRequest().authenticated().and().httpBasic().authenticationEntryPoint(authenticationEntryPoint);http.addFilterAfter(new CustomFilter(),BasicAuthenticationFilter.class);
You need to separate the not secured access from the secured one
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论