找到不需要的基本身份验证标头时，Spring安全性不起作用

Question

以下问题仅在https环境中发生。

通过基本身份验证进行身份验证的Jboss Web服务器。 现在，当访问部署在jboss上的应用程序内部时，所有请求都包含基本授权标头。现在，当使用正确的凭据时，我无法登录。如果直接使用我的应用程序而无需进行jboss基本身份验证，那么我可以登录该应用程序，并且一切正常。如果不需要的基本身份验证，则会在spring安全性中出现问题。我尝试禁用基本身份验证，但不起作用。

下面是我的代码。 SecurityContext

package com.adv.admin.context;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import com.adv.admin.util.CustomAuthenticationFailureHandler;
import com.adv.admin.util.CustomAuthenticationProvider;
import com.adv.admin.util.CustomLogoutSuccessHandler;
import com.coa.idm.annotation.SSOProvider;
import com.coa.idm.filter.SSOProviderType;

@Configuration
@EnableWebSecurity
@SSOProvider(providerType = SSOProviderType.NONE)
public class LocalSecurityContext extends WebSecurityConfigurerAdapter{

    @Autowired
    CustomAuthenticationProvider customAuthenticationProvider;

    @Autowired
    CustomAuthenticationFailureHandler customAuthenticationFailureHandler;

    @Autowired
    CustomLogoutSuccessHandler customLogoutSuccessHandler;

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(customAuthenticationProvider);
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http
          .authorizeRequests()
          .antMatchers("/login/**","/logout/**","/views/**").permitAll()
          .antMatchers("/technical_setup/**","/preferences_config/**","/admin_management/**")
                .access("hasRole('SYSADMIN')")
          .antMatchers("/home/**","/custom_help/**","/custom_message/**",
                 "/custom_help_detail/**","/custom_message_detail/**","/admin_property/**")
                .access("hasAnyRole('SYSADMIN','ADMIN')")
          .and()
          .formLogin()
          .loginPage("/login")
          .loginProcessingUrl("/perform_login")
          .defaultSuccessUrl("/home", true)
          .failureUrl("/login?error=3")
          .failureHandler(customAuthenticationFailureHandler)
          .and()
          .logout()
          .logoutUrl("/logout")
          .deleteCookies("JSESSIONID")
          .logoutSuccessHandler(customLogoutSuccessHandler)
          .and()
          .sessionManagement()
          .sessionAuthenticationErrorUrl("/login/invalid-session");
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**").and().ignoring().antMatchers("/WebHelp/**");
    }
}

AuthenticationProvider

package com.adv.admin.util;

import java.util.Collection;

import javax.inject.Inject;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Component;

import com.adv.admin.entity.UserMaster;
import com.adv.admin.model.CustomUser;
import com.adv.admin.repository.AdminRepository;
import com.adv.admin.repository.UserMasterRepository;
import com.adv.admin.services.CustomUserService;

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

  @Autowired
  private CustomUserService userService;
  @Autowired
  private AdminRepository adminRepository;
  @Inject
  private UserMasterRepository userMasterRepository;

  @Override
  public Authentication authenticate(Authentication authentication) {
    String username = authentication.getName();
    String password = (String) authentication.getCredentials();
    UserMaster userMaster;

    if (userService.getdataSourceDilact() != null
            && userService.getdataSourceDilact().equals(Constants.POSTGRES_SQL_Dialect)) {
        userMaster = userMasterRepository.findByUsr(username);
    } else {
        userMaster = userMasterRepository.findByUsr(rightPad(username));
    }

    if (ObjectUtils.isNotEmpty(userMaster)) {
      if (userMaster.getDsbld().equals(Constants.FLAG_Y)) {
        throw new DisabledException(Constants.DISABLED_MESSAGE);
      } else {
        String encryptedPassword = (password + "        ").substring(0, 8);
        encryptedPassword = new String(LogonSecurity.encrypt(encryptedPassword.toCharArray()));
        if (!encryptedPassword.equals(userMaster.getPswd())) {
          throw new BadCredentialsException(Constants.WRONG_CREDENTIALS_MESSAGE);
        } else {
          CustomUser user = userService.loadUserByUsername(username);
          Collection<? extends GrantedAuthority> authorities = user.getAuthorities();
          return new UsernamePasswordAuthenticationToken(user, password, authorities);
        }
      }
    } else {
        throw new BadCredentialsException(Constants.WRONG_CREDENTIALS_MESSAGE);
    }
  }

  @Override
  public boolean supports(Class<?> arg0) {
    return true;
  }

  private String rightPad(String s) {
    return String.format("%-8s", s);
  }
}