我正在尝试设置一个非常基本的Spring启动身份验证应用程序。我在客户端设置Authorization标头并将其发送到后端。我可以验证客户端是否正在发送正确的标头。
后端首次尝试登录时正确接收标头。但是,如果登录凭据不正确,后续请求将保留初始请求的标头(缓存或其他内容)。
我正在使用Redis来缓存会话。我的配置如下:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired AuthenticationEntryPoint authenticationEntryPoint;
@Autowired CsrfTokenRepository csrfTokenRepository;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.csrf()
.disable()
.authorizeRequests().antMatchers("**")
.permitAll()
.anyRequest()
.authenticated()
;
}
}
的AuthenticationEntryPoint
public class AuthenticationEntryPointBean {
@Bean
AuthenticationEntryPoint authenticationEntryPoint() {
return new RestAuthenticationEntryPoint();
}
}
任何方向都会受到赞赏。
**编辑** 添加缓存设置
@Configuration
@EnableRedisHttpSession
public class HttpSessionConfig {
@Bean
public JedisConnectionFactory connectionFactory() {
return new JedisConnectionFactory(); // <2>
}
}
此外,我正在尝试使缓存无效,但似乎无法正常工作
@CrossOrigin
@RequestMapping(value="/auth/login", method = RequestMethod.GET, produces="application/json")
public @ResponseBody String login(@RequestHeader(name = "authorization") String authorization, HttpSession session, HttpServletRequest request)
{
try
{
authorization = authorization.substring("Basic ".length());
String decoded = new String(Base64.getDecoder().decode(authorization),"UTF-8");
Gson gson = new Gson();
LoginRequest login = gson.fromJson(decoded,LoginRequest.class);
UserAuthenticationEntity entity = service.getSecurityContext(login).orElseThrow(() ->
new BadCredentialsException("Authentication Failed.")
);
session.setMaxInactiveInterval((int)TimeUnit.MINUTES.toSeconds(expiresInMinutes));
SecurityContextHolder.getContext().setAuthentication(new EntityContext(entity,expiresInMinutes));
String response = gson.toJson(BasicResponse.SUCCESS);
return response;
}
catch (Exception e)
{
session.invalidate();
e.printStackTrace();
throw new AuthenticationCredentialsNotFoundException("Authentication Error");
}
}
答案 0 :(得分:1)
将以下内容添加到我的Web安全配置中似乎可以解决问题。
.requestCache()
.requestCache(new NullRequestCache())
我不确定这样做有什么副作用。我是从博客https://drissamri.be/blog/2015/05/21/spring-security-and-spring-session/
中选择的如果有任何更深入的了解这是好的做法还是不好的做法,我将不胜感激。
我的最终网络安全配置如下所示:
http
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.csrf()
.disable()
.authorizeRequests().antMatchers("**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.requestCache()
.requestCache(new NullRequestCache())
.and()
.sessionManagement()
.sessionFixation()
.newSession()
;