我们有一个使用spring基本身份验证的应用程序用于安全性。该应用程序不是基于Spring MVC构建的。我们使用聚合物作为前端,并将服务作为基于休息的服务。
要求是实现一个登录表单,点击提交按钮需要调用一个应该发布用户名/密码的javascript。
有没有办法将凭据从javascript传递给spring基本身份验证servlet,以便验证请求。我们已经实现了AuthenticationProvider身份验证以执行验证。
import org.springframework.security.authentication.*;
import org.springframework.security.core.*;
import java.util.*;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.UriInfo;
import com.lifesciencemeta.ls.User;
import com.lifesciencemeta.ls.LifeScienceServiceMaster;
import com.lifesciencemeta.ls.LifeScienceConstants;
public class SpringBasicAuthentication implements AuthenticationProvider {
public LifeScienceServiceMaster lifeScienceService;
@Context
UriInfo lsUri;
public LifeScienceServiceMaster getLifeScienceService() {
return lifeScienceService;
}
public void setLifeScienceService(LifeScienceServiceMaster lifeScienceService) {
this.lifeScienceService = lifeScienceService;
}
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
UsernamePasswordAuthenticationToken auth = (UsernamePasswordAuthenticationToken) authentication;
String principal = (String) auth.getPrincipal();
String credential = (String) auth.getCredentials();
User u = lifeScienceService.authenticateUser(principal, credential);
if (u == null)
throw new BadCredentialsException(LifeScienceConstants.getMsg(“Auth Failed"));
else {
List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
String role = u.getRole().getName();
if(role == null) {
throw new BadCredentialsException(LifeScienceConstants.getMsg(“Auth Failed"));
}
grantedAuths.add(new SimpleGrantedAuthority(role));
UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(
principal, credential, grantedAuths);
result.setDetails(u);
return result;
}
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd” id =“WebApp_ID”version =“2.5”&gt; org.springframework.web.context.ContextLoaderListener contextConfigLocation的 /WEB-INF/context.xml springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy springSecurityFilterChain / 泽西REST服务 com.sun.jersey.spi.container.servlet.ServletContainer com.sun.jersey.config.property.packages com.lifesciencemeta.ls.restService.Invoke com.sun.jersey.api.json.POJOMappingFeature 真正 1 泽西REST服务 /休息/
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" pre-post-annotations="enabled" />
<security:http>
<security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN"/>
<security:http-basic />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="SpringBasicAuthentication" />
</security:authentication-manager>
<bean id="SpringBasicAuthentication"
class="com.lifesciencemeta.ls.SpringBasicAuthentication" >
<property name="lifeScienceService" ref="lsLifeScienceServiceImpl"/>
</bean>
</beans>
答案 0 :(得分:0)
您可以将spring security配置为使用基本身份验证,然后只使用基本身份验证信息向任何受保护资源和授权标头发送请求。
@SpringBootApplication
public class So44459836Application {
public static void main(String[] args) {
SpringApplication.run(So44459836Application.class, args);
}
@EnableWebSecurity
public static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/public/**"); //for static resources
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin().disable() //disable integrated login form
.httpBasic().and() // we want http basic authentication
.authorizeRequests().anyRequest().authenticated(); // all requests are protected
}
}
@RestController
@RequestMapping("/api/me")
public static class MeController {
@GetMapping
public String me(Principal principal) {
return principal.getName(); // just return current username.
}
}
}
示例表格
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport"
content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>App</title>
</head>
<body>
<div>
<section> <strong>Login</strong></section>
<div>
<label for="username">Username</label>
<input type="text" id="username">
</div>
<div>
<label for="password">Password</label>
<input type="password" id="password">
</div>
<input type="button" onclick="login();" value="Authenticate">
</div>
</body>
<script type="text/javascript">
'use strict';
function login() {
var username = document.getElementById('username').value;
var password = document.getElementById('password').value;
var xhr = new XMLHttpRequest();
xhr.open('GET', '/api/me', false, username, password);
xhr.onload = function() {
if (xhr.status === 200) {
alert('User\'s name is ' + xhr.responseText);
}
else {
alert('Request failed. Returned status of ' + xhr.status);
}
};
xhr.send();
}
</script>
</html>
<强>更新
对于旧版本的spring-security,JavaConfig不可用,所以可以试试这个:
web.xml
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
<display-name>Spring3 App</display-name>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>spring-web</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring-web</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
弹簧的web-servlet.xml中
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<mvc:resources mapping="/public/**" location="/public/"/>
</beans>
的applicationContext.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<context:component-scan base-package="com.stackoverflow.so44459836"/>
<mvc:annotation-driven/>
<sec:http auto-config="true">
<sec:intercept-url pattern="/api/**" access="IS_AUTHENTICATED_FULLY" />
<sec:http-basic/>
</sec:http>
<sec:authentication-manager>
<sec:authentication-provider>
<sec:user-service>
<sec:user name="admin" password="admin" authorities="ROLE_ADMIN"/>
</sec:user-service>
</sec:authentication-provider>
</sec:authentication-manager>
</beans>
将上面示例中的示例控制器放到component-scan指定的包中,将html文件放到webapp / public目录中,你应该很好。
PS。我已使用spring-webmvc:3.1.4.RELEASE和spring-security-{web,config}:3.1.7.RELEASE尝试此示例。