我正在尝试为angularjs应用程序添加spring security。我正在按照本教程关于使用spring security来保护单页面应用程序:
Service Provider Interface (SPI)
不同之处在于我没有使用弹簧靴而是弹簧mvc用于此目的。我想我添加了我需要的所有东西,但由于某些原因,在输入inMemory凭证后,我得到403禁止。
这是我的spring安全配置:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
System.out.println("initTT");
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/user").hasRole("USER")
.anyRequest().authenticated()
.and()
.csrf().disable();
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/app/**");
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
}
我使用了教程中的authenicate()函数并将其添加到我的app.js文件中:
coursesApp.controller('loginController', function($rootScope, $scope, $http, $location) {
var authenticate = function(credentials, callback) {
var headers = credentials ? {authorization : "Basic "
+ btoa(credentials.username + ":" + credentials.password)
} : {};
console.log(headers);
$http.get('/basic-web-app/user', {headers : headers}).success(function(data) {
if (data.name) {
$rootScope.authenticated = true;
} else {
$rootScope.authenticated = false;
}
callback && callback();
}).error(function() {
$rootScope.authenticated = false;
callback && callback();
});
}
authenticate();
$scope.credentials = {};
$scope.login = function() {
console.log("login clicked!!!!!!!");
authenticate($scope.credentials, function() {
if ($rootScope.authenticated) {
console.log("authenticated");
$location.path("/");
$scope.error = false;
} else {
console.log("not authenticated");
$location.path("/login");
$scope.error = true;
}
});
};
});
我有UserController和 /用户 端点,如教程中所述。我正在用这个
扫描包裹 <context:component-scan base-package="com.courses.portal.controllers"/>
https://spring.io/blog/2015/01/12/the-login-page-angular-js-and-spring-security-part-ii
我还附上了Chrome控制台的屏幕截图,以便清楚我在做什么:
web.xml文件:
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/business-config.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
MVC-调度-servlet.xml中
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<context:component-scan base-package="com.courses.portal.controllers"/>
<mvc:resources mapping="/app/**" location="/app/build/"/>
<mvc:annotation-driven/>
<bean id="jspViewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsp/"/>
<property name="suffix" value=".jsp"/>
</bean>
<security:global-method-security pre-post-annotations="enabled">
<security:protect-pointcut expression="execution(* com.courses.portal.controllers.*.*(..))"
access="ROLE_USER"/>
</security:global-method-security>
</beans>
很抱歉,如果这是一个常见问题,但在发布之前我试图在网上找到任何有用的内容。谢谢!
答案 0 :(得分:1)
我的猜测(你还没有发布所有的代码)是/ basic-web-app是一个上下文根,它是一个servlet API构造 - 如果你正在创建绝对路径,你需要它在你的客户端,但是它不知道servlet,但Spring Security是基于servlet的,所以它不需要前缀(我注意到你从静态资源的/app/**配置中删除了)。尝试从安全配置路径中删除前缀。