Spring Boot授权基本标头永不改变

时间:2016-12-02 19:02:20

标签: spring spring-boot

我正在尝试设置一个非常基本的Spring启动身份验证应用程序。我在客户端设置Authorization标头并将其发送到后端。我可以验证客户端是否正在发送正确的标头。

后端首次尝试登录时正确接收标头。但是,如果登录凭据不正确,后续请求将保留初始请求的标头(缓存或其他内容)。

我正在使用Redis来缓存会话。我的配置如下:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired AuthenticationEntryPoint authenticationEntryPoint;
    @Autowired CsrfTokenRepository csrfTokenRepository;


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .exceptionHandling()
            .authenticationEntryPoint(authenticationEntryPoint)
            .and()
        .csrf()
            .disable()
        .authorizeRequests().antMatchers("**")
            .permitAll()
            .anyRequest()
            .authenticated()
            ;
    }
}

的AuthenticationEntryPoint

public class AuthenticationEntryPointBean {
@Bean
    AuthenticationEntryPoint authenticationEntryPoint() {
        return new RestAuthenticationEntryPoint();
    }
}

任何方向都会受到赞赏。

**编辑** 添加缓存设置

@Configuration
@EnableRedisHttpSession
public class HttpSessionConfig {

    @Bean
    public JedisConnectionFactory connectionFactory() {
        return new JedisConnectionFactory(); // <2>
    }
}

此外,我正在尝试使缓存无效,但似乎无法正常工作

@CrossOrigin
@RequestMapping(value="/auth/login", method = RequestMethod.GET, produces="application/json")
public @ResponseBody String login(@RequestHeader(name = "authorization") String authorization, HttpSession session, HttpServletRequest request)
    {
        try
        {
            authorization = authorization.substring("Basic ".length());
            String decoded = new String(Base64.getDecoder().decode(authorization),"UTF-8");

            Gson gson = new Gson();
            LoginRequest login = gson.fromJson(decoded,LoginRequest.class);

            UserAuthenticationEntity entity = service.getSecurityContext(login).orElseThrow(() ->
                new BadCredentialsException("Authentication Failed.")
            );

            session.setMaxInactiveInterval((int)TimeUnit.MINUTES.toSeconds(expiresInMinutes));
            SecurityContextHolder.getContext().setAuthentication(new EntityContext(entity,expiresInMinutes));

            String response = gson.toJson(BasicResponse.SUCCESS);
            return response;
        }
        catch (Exception e)
        {
            session.invalidate();
            e.printStackTrace();
            throw new AuthenticationCredentialsNotFoundException("Authentication Error");
        }
    }

1 个答案:

答案 0 :(得分:1)

将以下内容添加到我的Web安全配置中似乎可以解决问题。

.requestCache()
.requestCache(new NullRequestCache())

我不确定这样做有什么副作用。我是从博客https://drissamri.be/blog/2015/05/21/spring-security-and-spring-session/

中选择的

如果有任何更深入的了解这是好的做法还是不好的做法,我将不胜感激。

我的最终网络安全配置如下所示:

 http
        .exceptionHandling()
            .authenticationEntryPoint(authenticationEntryPoint)
            .and()
        .csrf()
            .disable()
        .authorizeRequests().antMatchers("**")
            .permitAll()
            .anyRequest()
            .authenticated()
            .and()
        .requestCache()
            .requestCache(new NullRequestCache())
            .and()
        .sessionManagement()
            .sessionFixation()
            .newSession()
            ;