Spring Boot的基本身份验证

时间:2014-07-31 03:46:52

标签: basic-authentication spring-boot

我正在开发一个带有spring-boot和angularjs的小应用程序。这个想法是应用程序的后端公开了一些服务,而前端使用这些服务。我正在尝试设置基本身份验证

这是我的pom.xml 

<!-- Web Server -->
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- End Web Server -->

<!-- Spring Security -->
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- End Spring Security -->

两者的版本均为1.1.1.RELEASE。我的WebSecurityConfig 

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/css/**", "/js/**").permitAll()
                .anyRequest().authenticated();
        http
                .formLogin()
                .defaultSuccessUrl("/")
                .loginPage("/login")
                .permitAll()
                .and()
                .logout()
                .permitAll();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
        authManagerBuilder.inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");
    }
}

这不起作用。似乎用户和密码未在内存中设置。

当spring boot运行时,它会创建一个默认密码,这是控制台中显示的密码

AuthenticationManagerConfiguration : 

Using default security password: xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

该应用程序使用该密码。

谢谢

4 个答案:

答案 0 :(得分:6)

您可以通过在application.properties文件中设置以下属性来覆盖默认用户名(默认值=用户)和动态生成的密码:

security.user.name=user # Default user name.
security.user.password= # Password for the default user name. A random password is logged on startup by default.

要注册多个用户,您需要构建我们自己的AuthenticationManager配置。

答案 1 :(得分:3)

我也遇到过这个问题,使用OAuth2应用程序。在Authorization Server Config中,我使用的是全局 AuthenticationManager。

@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
        endpoints
            .tokenStore(tokenStore())
            .authenticationManager(authenticationManager)
            .accessTokenConverter(accessTokenConverter());
    }
}

但我构建的AuthenticationManager仅限于WebSecurityConfigurerAdapter。而不是覆盖configure方法,我使用了这个configureGlobal方法,然后一切都到位,没有警告或NullReferenceExceptions 

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");
    }
}

答案 2 :(得分:2)

在您的configur(HttpSecurity http)方法中,您的上次设置显示为.anyRequest().authenticated(),因此需要为所有请求对用户进行身份验证。

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/").permitAll()
            .anyRequest().authenticated();
}

请尝试以下操作。

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .anyRequest().hasRole("USER")
            .and()
        .formLogin()
            .permitAll()
            .and()
        .logout()
            .permitAll()
            .and()
        .anonymous()
            .disable();
}

答案 3 :(得分:1)

这种方式很有效,首先我更改了pom.xml中的依赖项

<!-- Web Server -->
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- End Web Server -->

<!-- Spring Security -->
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-actuator</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- End Spring Security -->

然后我更改了WebSecurityConfig类

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

@Configuration
public class WebSecurityConfig {

    @Bean
    public AuthenticationManager authenticationManager() throws Exception {
        return new AuthenticationManagerBuilder(new NopPostProcessor())
                       .inMemoryAuthentication().withUser("user").password("password").roles("USER")
                       .and().and().build();
    }

    private static class NopPostProcessor implements ObjectPostProcessor {
        @Override
        @SuppressWarnings("unchecked")
        public Object postProcess(Object object) {
            return object;
        }
    };
}
相关问题
最新问题