我正在尝试使用Spring Security在Jboss EAP 6.2上实现客户端身份验证,以保护我的REST api(没有登录页面),但我已经坚持了。
尝试使用ajax发送身份验证请求:
$.ajax({
type : "POST",
url : '/client-web/j_security_check',
data : {
j_username : user,
j_password : pass
}
}).done(function(data) {
$('div#result').append($('div').text('Login ' + user + ' OK'));
}).fail(function(data) {
console.log(data)
$('div#result').append($('div').text('Login ' + user + ' FAIL'));
});
我收到'404 Not Found'作为回复。我也尝试访问j_spring_security_check但结果是一样的。
即使我在ajax请求或提供的"Authorization" : "Basic *XXXX*"标题中发送了用户名和密码字段,向我的 / rest / 方法之一发送请求也始终返回'403 Forbidden'。
所以现在我无法意识到我应该如何根据我的应用程序验证我的用户以及如何在后续请求中检查身份验证。
我对Spring Security和安全以及Java EE技术都很陌生,花了整整两天的时间尝试让它工作但没有运气。所以这就是为什么我在这里向你们寻求帮助。我将不胜感激任何有用的建议或适当资源的链接。
以下是我搞砸的配置文件的内容:
根context.xml中:
<http entry-point-ref="preAuthEntryPoint"
authentication-manager-ref="authenticationManager" auto-config="false"
realm="ApplicationRealm">
<intercept-url pattern="/rest/**" access="ROLE_CUSTOMER" />
<!-- <form-login /> -->
<http-basic />
<logout />
<jee mappable-roles="customer" />
</http>
<beans:bean name="preAuthEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
</beans:bean>
<authentication-manager alias="authenticationManager"
id="authenticationManager">
<sec:authentication-provider
ref="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider" />
</authentication-manager>
<beans:bean
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider"
id="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService">
</beans:bean>
</beans:property>
</beans:bean>
的web.xml :
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>clientServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/clientServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>clientServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>/resources/home.html</welcome-file>
</welcome-file-list>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>All Content</web-resource-name>
<url-pattern>/rest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_CUSTOMER</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>ROLE_CUSTOMER</role-name>
</security-role>
jboss-web.xml 只有一个节点:<security-domain>mySecurity</security-domain>
在jboss standalone.xml 配置文件中有一个<security-domain>:
<security-domain name="mySecurity" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/myDs"/>
<module-option name="principalsQuery" value="select u.password from users u where u.username=?"/>
<module-option name="rolesQuery" value="select r.name as rolename, 'Roles' as rolegroup from users u inner join users_roles ur on (ur.users_id = u.id) inner join roles r on (ur.roles_id = r.id) where u.username=?"/>
</login-module>
</authentication>
</security-domain>