具有Spring Security的Spring REST不接受凭据

时间:2018-07-28 00:59:51

标签: java rest spring-security basic-authentication spring-rest

我正在使用Spring REST创建一个REST API,并且正在尝试使用Spring Security对其进行保护以进行基本身份验证。它由MariaDB数据库支持。

我用过this guide for setting up basic authentication。我已经到了可以发出POST请求的位置,以在数据库中创建新的用户凭据,但是当我转身尝试使用这些凭据访问受保护的端点时,会收到401未经授权的响应。

有人可以指出我要去哪里了吗?谢谢!

这是我的实体:

@Entity
@Table(name="credentials")
public class Credential {

public static final PasswordEncoder PASSWORD_ENCODER = new BCryptPasswordEncoder();

@Id
@GenericGenerator(name = "uuid", strategy = "uuid2")
@GeneratedValue(generator="uuid")
@Column(name="user_id")
private UUID userId;
@Column(name="username")
private String username;
@Column(name="password")
private String password;
@Column(name="updated_at")
private LocalDateTime updatedAt;
@Column(name="created_at")
private LocalDateTime createdAt;
@OneToOne(fetch=FetchType.EAGER)
@JoinColumn(name="user_id")
private User user;

public Credential(UUID userId, String username, String password, LocalDateTime updatedAt, LocalDateTime createdAt) {
    this.userId = userId;
    this.username = username;
    setPassword(password);
    this.updatedAt = updatedAt;
    this.createdAt = createdAt;
}

public Credential() {}
...and standard getters and setters

这是我的存储库:

public interface CredentialRepository extends CrudRepository<Credential, UUID>{

Optional<Credential> findByUsername(String username);

}

我的类扩展了UserDetailsS​​ervice:

@Component
public class DetailsService implements UserDetailsService {

@Autowired
private CredentialRepository credentials;

@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
    Optional<Credential> credential = credentials.findByUsername(username);
    if (!credential.isPresent()) {
        throw new UsernameNotFoundException(username + " not found");
    }
    return new User(credential.get().getUsername(), credential.get().getPassword(),
            AuthorityUtils.createAuthorityList("ROLE_USER"));
}

@Transactional
public Credential signupNewAccount(Credential credential) throws DuplicateUsernameException {
    if(usernameExists(credential.getUsername())) {
        throw new DuplicateUsernameException("That username is not available: " + credential.getUsername());
    }
    Credential registered = new Credential();
    registered.setUsername(credential.getUsername());
    registered.setPassword(credential.getPassword());
    return credentials.save(registered);
}

private boolean usernameExists(String username) {
    Optional<Credential> candidate = credentials.findByUsername(username);
    if(candidate.isPresent()) {
        return true;
    } else {
        return false;
    }
}

}

还有我的WebSecurityConfigurerAdapter:

@Component
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
private DetailsService detailsService;

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(detailsService).passwordEncoder(Credential.PASSWORD_ENCODER);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .csrf().disable()
    .authorizeRequests()
    .antMatchers(HttpMethod.POST, "/v1/login").permitAll()
    .antMatchers(HttpMethod.POST, "/v1/signup").permitAll()
    .anyRequest().authenticated()
    .and().httpBasic()
    .and().sessionManagement().disable();
}
}

我正在发送到另一个端点的HTTP GET请求:

GET /v1/boards HTTP/1.1
Host: localhost:8443
Authorization: Basic dGVzdDp0ZXN0
Cache-Control: no-cache

服务器的响应:

HTTP/1.1 401
WWW-Authenticate: Basic realm="Realm"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=0FE1E2736168B8C24980059A2546CA95; Path=/; Secure; HttpOnly
WWW-Authenticate: Basic realm="Realm"
Content-Length: 0
Date: Sat, 28 Jul 2018 20:36:37 GMT

1 个答案:

答案 0 :(得分:0)

花了一天的时间阅读关于Spring Security和Basic Authentication的每一篇文章后,我发现了问题。原来,当我在数据库中注册凭据时,我对其进行了两次加密。在我的UserDetailsS​​ervice实现中更改signup方法可以解决该问题:

@Transactional
public Credential signupNewAccount(Credential credential) throws DuplicateUsernameException {
    System.out.println("Enter signupNewAccount: " + credential.getUsername() + " / " + credential.getPassword());
    if(usernameExists(credential.getUsername())) {
        throw new DuplicateUsernameException("That username is not available: " + credential.getUsername());
    }
    return credentials.save(credential);
}