我已按照教程http://www.concretepage.com/spring-boot/spring-boot-security-rest-jpa-hibernate-mysql-crud-example
进行操作注意: Working on Spring-boot, Spring Data JPA, Security and basic authentication
我的代码在
下面UserDetailsService.java
@Override
public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
System.out.println("UserName: " + userName);
User activeUserInfo = userRepository.findByUserName(userName);
System.out.println("Role D : " + activeUserInfo.getUserRole().getName()); //This prints 'ADMIN' as expected
GrantedAuthority authority = new SimpleGrantedAuthority(activeUserInfo.getUserRole().getName());
System.out.println("User : " + activeUserInfo.getUserName()); //This prints my username 'test123' as expected
System.out.println("PWD : " + activeUserInfo.getPassword()); //This prints '$2a$10$PN/MwjCHtCWsI4auW6Q8AOxb4dug4WSO8tfINySqHZ8eYVjFKIAW6' as expected
System.out.println("Authority : " + authority);
UserDetails userDetails = (UserDetails) new org.springframework.security.core.userdetails.User(activeUserInfo.getUserName(), activeUserInfo.getPassword(),
Arrays.asList(authority));
return userDetails;
}
Sysout从DB打印正确的值。
SecurityConfiguration.java
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().antMatchers("/server/rest/secure/**").hasAnyRole("ADMIN", "Non Admin").and()
.httpBasic().realmName(REALM).authenticationEntryPoint(new CustomBasicAuthenticationEntryPoint());
}
CustomBasicAuthenticationEntryPoint .java
public class CustomBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint {
@Override
public void commence(final HttpServletRequest request,
final HttpServletResponse response,
final AuthenticationException authException) throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.addHeader("WWW-Authenticate", "Basic realm=" + getRealmName() + "");
PrintWriter writer = response.getWriter();
writer.println("HTTP Status 401 : " + authException.getMessage());
response.setHeader("WWW-Authenticate", "FormBased");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
}
@Override
public void afterPropertiesSet() throws Exception {
setRealmName("MY_TEST_REALM");
super.afterPropertiesSet();
}
}
但在登录期间我得到了status":403,"error":"Forbidden","message":"Access is denied"
注意:之前我使用Base64加密/解密密码。但现在根据这个例子更新到BCrypt。所以为了现在的测试目的,我已经在线生成了BCrypt密码。我的pwd是"测试" BCrypt pwd是" $ 2a $ 10 $ PN / MwjCHtCWsI4auW6Q8AOxb4dug4WSO8tfINySqHZ8eYVjFKIAW6"。我对此有任何错误吗? 我的代码出了什么问题?
答案 0 :(得分:0)
我认为你最终不会.permit()请在SecurityConfiguration.java中尝试我的代码:
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().cors().disable().httpBasic().and().authorizeRequests()
.antMatchers(PUBLIC_MATCHERS).permitAll().anyRequest().authenticated();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userSecurityService).passwordEncoder(passwordEncoder());
}
PS:PUBLIC_MATCHERS是
private static final String[] PUBLIC_MATCHERS = {
with your folders
};