我正在使用spring security 4,由于某种原因,在我使用登录页面完成身份验证后,我得到了浏览器身份验证对话框,迫使我再次进行身份验证。
这是我的安全配置:
http.antMatcher("/test")
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/index.html", "/login.html", "/", "/scripts/**",
"/bower_components/**", "/styles/**", "/views/**",
"/login", "/api/user/*").permitAll().anyRequest()
.authenticated().and().logout().logoutUrl("/api/logout").and()
.csrf().csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
答案 0 :(得分:2)
导致身份验证对话框弹出的原因是响应标头WWW-Authenticate: Basic,由BasicAuthenticationEntryPoint设置。
使用未设置AuthenticationEntryPoint的自定义WWW-Authenticate: Basic:
public class NoPopupBasicAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) throws IOException, ServletException {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
}
}
将自定义身份验证入口点添加到安全配置:
http
.httpBasic()
.authenticationEntryPoint(new NoPopupBasicAuthenticationEntryPoint())
答案 1 :(得分:1)
在WebFlux中仅禁用httpBasic是不够的。有一个ExceptionTranslationWebFilter,默认情况下使用HttpBasicServerAuthenticationEntryPoint,导致这种现象。要禁用它,您应该安装另一个ServerAuthenticationEntryPoint,例如:
http.exceptionHandling()
.authenticationEntryPoint(HttpStatusServerEntryPoint(HttpStatus.FORBIDDEN))
.