RestyGWT和基本身份验证

时间:2016-04-28 17:56:46

标签: rest gwt spring-security spring-boot resty-gwt

经过几天没有任何进展,我需要你的帮助。

使用GWT,我正在尝试与我的REST服务器通信,服务器位于不同的URL(需要CORS)。
我的配置:
服务器
- spring-boot 1.3.3

客户端
- GWT 1.7
- restygwt 2.0.3

服务器端,我认为没关系。
当我在Spring中禁用安全性时,我可以在GWT客户端获取数据 但是当我启用它时,我总是得到401个请求。 REST URL请求直接在Web浏览器中运行(带有其身份验证对话框)。

客户端,我已关注此页:
 https://ronanquillevere.github.io/2014/04/11/restygwt-basic-auth.html

这是我的代码:

在标题

中添加凭据的过滤器 
public class BasicAuthHeaderDispatcherFilter implements DispatcherFilter {

    public static final String AUTHORIZATION_HEADER = "Authorization";

    @Override
    public boolean filter(Method method, RequestBuilder builder) {
        try {

            String basicAuthHeaderValue = createBasicAuthHeader(
                    UserCredentials.INSTANCE.getUserName(),
                    UserCredentials.INSTANCE.getPassword());

            builder.setHeader(AUTHORIZATION_HEADER, basicAuthHeaderValue);

        } catch (UnsupportedEncodingException e) {
            return false;
        }
        return true;
    }

    private String createBasicAuthHeader(String userName, String password)
            throws UnsupportedEncodingException {
        String credentials = userName + ":" + password;
        String encodedCredentials = new String(Base64.encode(credentials
                .getBytes()), "UTF-8");

        GWT.log("encodedCredentials=["+encodedCredentials+"]");

        return " Basic " + encodedCredentials;
    }
}

调度员:

public class MyDispatcher extends DefaultFilterawareDispatcher {

    public MyDispatcher() {
        addFilter(new BasicAuthHeaderDispatcherFilter());
    }

}

我的测试电话:

@Override
            public void onClick(ClickEvent event) {
                Defaults.setDispatcher(new MyDispatcher());

                UserCredentials.INSTANCE.setUserName("user");
                UserCredentials.INSTANCE.setPassword("psswd");

                String url = "http://localhost:8080/race";
                Resource resource = new Resource(url);

                resource.get().send(new JsonCallback() {

                    @Override
                    public void onSuccess(Method method, JSONValue response) {
                        GWT.log(response.toString());
                    }

                    @Override
                    public void onFailure(Method method, Throwable exception) {
                        GWT.log("Erreur: ", exception);
                    }
                });

            }

现在,在网络浏览器开发工具中生成的标题。

直接在网络浏览器中
请求

Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Authorization   Basic R3V5OnR5Y29vbg==
Cache-Control   max-age=0
Connection  keep-alive
Host    localhost:8080
User-Agent  Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0

答案

Cache-Control   no-cache, no-store, max-age=0, must-revalidate
Content-Type    application/json;charset=UTF-8
Date    Thu, 28 Apr 2016 17:35:31 GMT
Expires 0
Pragma  no-cache
Server  Apache-Coyote/1.1
Set-Cookie  JSESSIONID=A496281DBD6E9B797887B9C34B47DA52; Path=/; HttpOnly
Transfer-Encoding   chunked
X-Frame-Options DENY
X-XSS-Protection    1; mode=block
x-content-type-options  nosniff

GWT客户
请求

Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Access-Control-Request-He...    authorization,x-http-method-override
Access-Control-Request-Me...    GET
Connection  keep-alive
Host    localhost:8080
Origin  http://127.0.0.1:8888
User-Agent  Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0

答案

Access-Control-Allow-Cred...    true
Access-Control-Allow-Orig...    http://127.0.0.1:8888
Allow   GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Cache-Control   no-cache, no-store, max-age=0, must-revalidate
Content-Length  0
Date    Thu, 28 Apr 2016 17:43:29 GMT
Expires 0
Pragma  no-cache
Server  Apache-Coyote/1.1
Set-Cookie  JSESSIONID=4D80D0C0FA9E27D166F6489CC88C3E45; Path=/; HttpOnly
Vary    Origin
WWW-Authenticate    Basic realm="Realm"
X-Frame-Options DENY
X-XSS-Protection    1; mode=block
access-control-allow-head...    authorization, x-http-method-override
access-control-allow-meth...    GET
x-content-type-options  nosniff

我注意到两件事:
- 在gwt头请求中,我没有Authorization值。但是在控制台日志中,我有一条确认我的过滤器被触发的跟踪 - 只有firefox,当我做我的请求时,firebug捕获2个网络paquets,第一个有Authorization值但没有回答,第二个是我上面描述的结果。

感谢您的帮助。

1 个答案:

答案 0 :(得分:0)

解决。

我的服务器拒绝网络浏览器提交的转机前请求。

我在服务器中添加了一个CorsFilter,它忽略了OPTIONS请求

@Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {

        HttpServletResponse theResponse = (HttpServletResponse) response;
        HttpServletRequest theRequest = (HttpServletRequest) request;

        theResponse.setHeader("Access-Control-Allow-Origin", theRequest.getHeader("Origin"));

        if ("OPTIONS".equalsIgnoreCase(theRequest.getMethod())) {
            theResponse.setHeader("Access-Control-Allow-Credentials", "true");
            theResponse.setHeader("Access-Control-Allow-Methods", "POST, GET, HEAD, OPTIONS, DELETE");
            theResponse.setHeader("Access-Control-Allow-Headers", "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization, X-HTTP-Method-Override");
        }else{
            chain.doFilter(request, response);
        }
    }
相关问题
最新问题