我在使用spring security设置摘要身份验证时遇到问题:
My SecurityConfig:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
@Autowired
private UserService userService;
@Override
@Bean
public UserDetailsService userDetailsServiceBean() {
return userService;
}
@Override
protected void configure(AuthenticationManagerBuilder registry) throws Exception {
registry.userDetailsService(userDetailsServiceBean());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint(digestEntryPoint())
.and()
.addFilterAfter(digestAuthenticationFilter(digestEntryPoint()), BasicAuthenticationFilter.class)
.antMatcher("/**")
.csrf()
.disable()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.permitAll()
.and()
.logout()
.deleteCookies("remove")
.invalidateHttpSession(true)
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login")
.permitAll();
}
@Bean
public DigestAuthenticationEntryPoint digestEntryPoint() {
DigestAuthenticationEntryPoint digestAuthenticationEntryPoint = new DigestAuthenticationEntryPoint();
digestAuthenticationEntryPoint.setKey("acegi");
digestAuthenticationEntryPoint.setRealmName("Digest Realm");
digestAuthenticationEntryPoint.setNonceValiditySeconds(10);
return digestAuthenticationEntryPoint;
}
@Bean
public DigestAuthenticationFilter digestAuthenticationFilter(
DigestAuthenticationEntryPoint digestAuthenticationEntryPoint) {
DigestAuthenticationFilter digestAuthenticationFilter = new DigestAuthenticationFilter();
digestAuthenticationFilter.setAuthenticationEntryPoint(digestEntryPoint());
digestAuthenticationFilter.setUserDetailsService(userDetailsServiceBean());
return digestAuthenticationFilter;
}
}
使用userService:
@Component
public class UserService implements UserDetailsService {
@Autowired
UserRepository userRepository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByUsername(username);
if (user == null) {
throw new UsernameNotFoundException("UserName " + username + " not found");
} else {
return user;
}
}
}
当尝试使用Digest访问API时,我得到以下返回:
{
"timestamp": "2015-11-25T13:51:01.874+0000",
"status": 401,
"error": "Unauthorized",
"message": "Nonce should have yielded two tokens but was ",
"path": "/api/"
}
Basic身份验证工作正常。摘要有什么问题?
与Postman发出请求:
Digest username="admin", realm="Digest Realm", nonce="", uri="/api/", response="762b17f23b0e1a2d56cd159805732d7b", opaque=""
答案 0 :(得分:2)
您需要设置一个nonce值。错误是BadCredentialsException,快速查看已发送的内容会显示您已设置nonce =""。这应该是格式 -
base64(expirationTime +":" + md5Hex(expirationTime +":" + key))
expirationTime: The date and time when the nonce expires, expressed in milliseconds
key: A private key to prevent modification of the nonce token
https://docs.spring.io/spring-security/site/docs/3.0.x/reference/basic.html