我正在使用Spring REST创建一个REST API,并且正在尝试使用Spring Security对其进行保护以进行基本身份验证。它由MariaDB数据库支持。
我用过this guide for setting up basic authentication。我已经到了可以发出POST请求的位置,以在数据库中创建新的用户凭据,但是当我转身尝试使用这些凭据访问受保护的端点时,会收到401未经授权的响应。
有人可以指出我要去哪里了吗?谢谢!
这是我的实体:
@Entity
@Table(name="credentials")
public class Credential {
public static final PasswordEncoder PASSWORD_ENCODER = new BCryptPasswordEncoder();
@Id
@GenericGenerator(name = "uuid", strategy = "uuid2")
@GeneratedValue(generator="uuid")
@Column(name="user_id")
private UUID userId;
@Column(name="username")
private String username;
@Column(name="password")
private String password;
@Column(name="updated_at")
private LocalDateTime updatedAt;
@Column(name="created_at")
private LocalDateTime createdAt;
@OneToOne(fetch=FetchType.EAGER)
@JoinColumn(name="user_id")
private User user;
public Credential(UUID userId, String username, String password, LocalDateTime updatedAt, LocalDateTime createdAt) {
this.userId = userId;
this.username = username;
setPassword(password);
this.updatedAt = updatedAt;
this.createdAt = createdAt;
}
public Credential() {}
...and standard getters and setters
这是我的存储库:
public interface CredentialRepository extends CrudRepository<Credential, UUID>{
Optional<Credential> findByUsername(String username);
}
我的类扩展了UserDetailsService:
@Component
public class DetailsService implements UserDetailsService {
@Autowired
private CredentialRepository credentials;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
Optional<Credential> credential = credentials.findByUsername(username);
if (!credential.isPresent()) {
throw new UsernameNotFoundException(username + " not found");
}
return new User(credential.get().getUsername(), credential.get().getPassword(),
AuthorityUtils.createAuthorityList("ROLE_USER"));
}
@Transactional
public Credential signupNewAccount(Credential credential) throws DuplicateUsernameException {
if(usernameExists(credential.getUsername())) {
throw new DuplicateUsernameException("That username is not available: " + credential.getUsername());
}
Credential registered = new Credential();
registered.setUsername(credential.getUsername());
registered.setPassword(credential.getPassword());
return credentials.save(registered);
}
private boolean usernameExists(String username) {
Optional<Credential> candidate = credentials.findByUsername(username);
if(candidate.isPresent()) {
return true;
} else {
return false;
}
}
}
还有我的WebSecurityConfigurerAdapter:
@Component
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private DetailsService detailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(detailsService).passwordEncoder(Credential.PASSWORD_ENCODER);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/v1/login").permitAll()
.antMatchers(HttpMethod.POST, "/v1/signup").permitAll()
.anyRequest().authenticated()
.and().httpBasic()
.and().sessionManagement().disable();
}
}
我正在发送到另一个端点的HTTP GET请求:
GET /v1/boards HTTP/1.1
Host: localhost:8443
Authorization: Basic dGVzdDp0ZXN0
Cache-Control: no-cache
服务器的响应:
HTTP/1.1 401
WWW-Authenticate: Basic realm="Realm"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=0FE1E2736168B8C24980059A2546CA95; Path=/; Secure; HttpOnly
WWW-Authenticate: Basic realm="Realm"
Content-Length: 0
Date: Sat, 28 Jul 2018 20:36:37 GMT
答案 0 :(得分:0)
花了一天的时间阅读关于Spring Security和Basic Authentication的每一篇文章后,我发现了问题。原来,当我在数据库中注册凭据时,我对其进行了两次加密。在我的UserDetailsService实现中更改signup方法可以解决该问题:
@Transactional
public Credential signupNewAccount(Credential credential) throws DuplicateUsernameException {
System.out.println("Enter signupNewAccount: " + credential.getUsername() + " / " + credential.getPassword());
if(usernameExists(credential.getUsername())) {
throw new DuplicateUsernameException("That username is not available: " + credential.getUsername());
}
return credentials.save(credential);
}