英文:
Spring Security httpBasic 404 for correct credentials
问题
在我的 React 应用中,我调用了 Spring Security 基本登录:
e.preventDefault();
const username = states.username;
const password = states.password;
fetch('/api/login', {
method: 'post',
headers: {
Authorization: 'Basic ' + window.btoa(username + ':' + password),
},
}).then((resp) => {
console.log(resp);
return resp.text();
});
SecurityConfig.java:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/api/login").authenticated()
.and()
.httpBasic();
}
}
问题是,当在登录页面输入正确的凭据(spring security 的默认凭据:用户名 "user" 和生成的密码)时,在控制台中收到的响应是:
POST https://localhost:3000/api/login 404 (Not Found)
Response {type: "basic", url: "https://localhost:3000/api/login", redirected: false, status: 404, ok: false, …}
body: (...)
bodyUsed: true
headers: Headers {}
ok: false
redirected: false
status: 404
statusText: "Not Found"
type: "basic"
url: "https://localhost:3000/api/login"
__proto__: Response
当输入错误的凭据时,会显示基本认证弹出框,并且没有凭据被视为有效 - 在登录尝试后,弹出框会继续出现。
我漏掉了什么?
英文:
In my react app I call spring security basic login:
e.preventDefault();
const username = states.username;
const password = states.password;
fetch('/api/login', {
method: 'post',
headers: {
Authorization: 'Basic ' + window.btoa(username + ':' + password),
},
}).then((resp) => {
console.log(resp);
return resp.text();
});
SecurityConfig.java:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/api/login").authenticated()
.and()
.httpBasic();
}
}
The problem is, when entering correct credentials on login page (spring security's default: username "user" and generated password), the response i get in console is:
POST https://localhost:3000/api/login 404 (Not Found)
Response {type: "basic", url: "https://localhost:3000/api/login", redirected: false, status: 404, ok: false, …}
body: (...)
bodyUsed: true
headers: Headers {}
ok: false
redirected: false
status: 404
statusText: "Not Found"
type: "basic"
url: "https://localhost:3000/api/login"
__proto__: Response
when entering incorrect credentials basic authentication pop-up shows, 
and no credentials are treated as valid – the pop-up keeps reappearing after login attempts.
What am I missing?
答案1
得分: 1
我认为这是因为您正在保护登录端点,所以您创建了一个恶性循环 - 您必须进行身份验证才能进行身份验证。
将您的 antMatchers 行更改为:
.antMatchers("/api/login").permitAll()
.and()
.formLogin()
.loginProcessingUrl("/api/login")
英文:
I think it's because you're securing the login endpoint, so you've created a ficious circle - you have to be authenticated to authenticate.
Change your antMatchers line to:
.antMatchers("/api/login").permitAll()
.and()
.formLogin()
.loginProcessingUrl("/api/login")
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论