我需要一些关于如何设置简单登录数据库安全性的帮助(我很绝望)。我的登录工作,至少在我检查用户和密码时,问题是角色和网址映射限制。在我使用有效用户登录后,我的角色丢失了,我无法访问任何可能的内容,例如目录/secured/user/home.html它让我503被拒绝,管理员也没有。
从昨天开始尝试设置此项目但没有任何成功。这是一个带角度登录的休息弹簧mvc,需要一些关于如何正确注销的帮助,因为它不起作用。
我的代码段
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling().and()
.anonymous().and()
.servletApi().and()
.headers().cacheControl().and()
.authorizeRequests()
//allow anonymous resource requests
.antMatchers("/index.html").permitAll()
.antMatchers("/favicon.ico").permitAll()
.antMatchers("/resources/**").permitAll()
//allow anonymous POSTs to login
.antMatchers(HttpMethod.POST, "/api/login").permitAll()
// Login page
.antMatchers("/login.html").permitAll()
//allow anonymous GETs to API
.antMatchers(HttpMethod.GET, "/api/users/current").permitAll()
// api/users/logout
.antMatchers(HttpMethod.GET, "/api/users/logout").permitAll()
//defined Admin only API area
.antMatchers("/secured/admin/**").hasRole("ADMIN")
// user area
.antMatchers("/secured/user/**").hasRole("USER")
.antMatchers("/api/blognews/**").hasRole("USER")
//all other request need to be authenticated
.anyRequest().hasRole("USER").and()
// custom JSON based authentication by POST of {"username":"<name>","password":"<password>"} which sets the token header upon authentication
.addFilterBefore(new StatelessLoginFilter("/api/login", tokenAuthenticationService, userDetailsService, authenticationManager()), UsernamePasswordAuthenticationFilter.class)
// custom Token based authentication based on the header previously given to the client
.addFilterBefore(new StatelessAuthenticationFilter(tokenAuthenticationService), UsernamePasswordAuthenticationFilter.class);
}
这个项目基于postgres,hibernate,spring security和一些简单的休息服务。我的目标是使用令牌登录身份验证而不使用cookie或会话。几乎就在那里,但它一直很痛苦,而且差不多就这样了。
我的设置是使用maven我在这里上传项目。
https://github.com/jbarros35/angular/tree/auth/businessdata
执行日志:
08:45:32.555 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/users/current'; against '/resources/**'
08:45:32.555 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /api/users/current at position 1 of 7 in additional filter chain; firing Filter: 'HeaderWriterFilter'
08:45:32.555 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /api/users/current at position 2 of 7 in additional filter chain; firing Filter: 'StatelessLoginFilter'
08:45:32.555 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /api/users/current at position 3 of 7 in additional filter chain; firing Filter: 'StatelessAuthenticationFilter'
08:45:32.570 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /api/users/current at position 4 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
08:45:32.570 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /api/users/current at position 5 of 7 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
08:45:32.570 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'com.businessdata.security.UserAuthentication@74e7e622'
08:45:32.570 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /api/users/current at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
08:45:32.570 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /api/users/current at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
08:45:32.570 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/users/current'; against '/index.html'
08:45:32.570 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/users/current'; against '/favicon.ico'
08:45:32.570 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/users/current'; against '/resources/**'
08:45:32.570 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /api/users/current' doesn't match 'POST /api/login
08:45:32.570 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/users/current'; against '/login.html'
08:45:32.570 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/api/users/current'; against '/api/users/current'
08:45:32.570 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /api/users/current; Attributes: [permitAll]
08:45:32.570 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: com.businessdata.security.UserAuthentication@74e7e622
08:45:32.571 [http-bio-8080-exec-10] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6e34ba4a, returned: 1
08:45:32.571 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
08:45:32.571 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
08:45:32.571 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /api/users/current reached end of additional filter chain; proceeding with original chain
08:45:32.571 [http-bio-8080-exec-10] DEBUG o.s.web.servlet.DispatcherServlet - DispatcherServlet with name 'dispatcher' processing GET request for [/businessdata/api/users/current]
08:45:32.571 [http-bio-8080-exec-10] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Looking up handler method for path /api/users/current
08:45:32.571 [http-bio-8080-exec-10] DEBUG o.s.w.s.m.m.a.RequestMappingHandlerMapping - Returning handler method [public com.businessdata.model.UserData com.businessdata.controller.UserController.getCurrent() throws java.lang.Exception]
08:45:32.571 [http-bio-8080-exec-10] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'userController'
08:45:32.572 [http-bio-8080-exec-10] DEBUG o.s.web.servlet.DispatcherServlet - Last-Modified value for [/businessdata/api/users/current] is: -1
08:45:32.572 [http-bio-8080-exec-10] DEBUG o.s.w.s.mvc.WebContentInterceptor - Looking up cache seconds for [/api/users/current]
08:45:32.572 [http-bio-8080-exec-10] DEBUG o.s.w.s.mvc.WebContentInterceptor - Applying default cache seconds to [/api/users/current]
08:45:32.574 [http-bio-8080-exec-10] DEBUG o.s.w.s.m.m.a.ResponseBodyAdviceChain - Invoking ResponseBodyAdvice chain for body=UserData: user
08:45:32.574 [http-bio-8080-exec-10] DEBUG o.s.w.s.m.m.a.ResponseBodyAdviceChain - After ResponseBodyAdvice chain body=UserData: user
08:45:32.576 [http-bio-8080-exec-10] DEBUG o.s.w.s.m.m.a.RequestResponseBodyMethodProcessor - Written [UserData: user] as "application/json;charset=UTF-8" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@45de7b45]
08:45:32.576 [http-bio-8080-exec-10] DEBUG o.s.web.servlet.DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'dispatcher': assuming HandlerAdapter completed request handling
08:45:32.576 [http-bio-8080-exec-10] DEBUG o.s.web.servlet.DispatcherServlet - Successfully completed request
08:45:32.576 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/secured/admin/home.html'; against '/resources/**'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secured/admin/home.html at position 1 of 7 in additional filter chain; firing Filter: 'HeaderWriterFilter'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secured/admin/home.html at position 2 of 7 in additional filter chain; firing Filter: 'StatelessLoginFilter'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secured/admin/home.html at position 3 of 7 in additional filter chain; firing Filter: 'StatelessAuthenticationFilter'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secured/admin/home.html at position 4 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secured/admin/home.html at position 5 of 7 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90572420: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: 21113D956870C796E52C273FBFD2B651; Granted Authorities: ROLE_ANONYMOUS'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secured/admin/home.html at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secured/admin/home.html at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/secured/admin/home.html'; against '/index.html'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/secured/admin/home.html'; against '/favicon.ico'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/secured/admin/home.html'; against '/resources/**'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /secured/admin/home.html' doesn't match 'POST /api/login
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/secured/admin/home.html'; against '/login.html'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/secured/admin/home.html'; against '/api/users/current'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/secured/admin/home.html'; against '/api/users/logout'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/secured/admin/home.html'; against '/secured/admin/**'
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /secured/admin/home.html; Attributes: [hasRole('ROLE_ADMIN')]
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@90572420: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: 21113D956870C796E52C273FBFD2B651; Granted Authorities: ROLE_ANONYMOUS
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6e34ba4a, returned: -1
08:45:33.401 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point