永远不要进入WebSecurityConfigurerAdapter

时间:2017-10-06 14:10:17

标签: spring-boot spring-security

我做了一个简单的休息服务,我想在api上添加一个简单的安全性。 所以我创建了一个WebSecurityConfigurerAdapter:

package org.test.subscription.webservice.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Autowired
        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

                auth
                        .inMemoryAuthentication()
                        .withUser("test1").password("test1").roles("superAdminRole").and()
                        .withUser("test2").password("test2").roles("superAdminRole");
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
                        http.httpBasic()
                    .and()
                    .authorizeRequests()
                    .anyRequest().hasRole("webserviceReadRole").and()
                    .csrf().disable();
        }
}

这是我的主要参赛者:

package org.test.subscription.webservice;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class Application {

        public static void main(String[] args) {
                SpringApplication.run(Application.class, args);
        }

}

但是当我在我的API中调用某些内容时,我根本就没有进行身份验证,而且我得到了我的" hello world"响应。所以他从不检查我的角色。有什么想法吗?

1 个答案:

答案 0 :(得分:2)

您的示例应该按预期工作(在启动1.5.7和2.0.0 M3中测试)。所以我建议您尝试以下方法。首先验证一些琐碎的事情:

  1. 您没有在application.properties或相应的yaml中禁用安全检查的任何内容(例如security.ignored和Co。)。
  2. 您的申请中没有其他WebSecurityConfigurerAdapter
  3. Spring正确扫描您的课程。
  4. 您在浏览器中没有一些奇怪的Cookie。例如。通过在私人模式下启动浏览器或使用curl或类似的东西来尝试相同的请求。

    5. 如果仍然无效,请启用Spring Security调试器,以深入了解幕后发生的事情以及您看到意外行为的原因。这可以通过以下方式实现:

    @EnableWebSecurity(debug = true)

    这将暗示Spring打印了许多额外的细节,这些细节可以帮助您找出问题所在。在您的设置中,您应该在发出请求时在日志中看到类似以下内容的内容。

    首先,请求本身带有正确的标头。最重要部分的示例:

    Request received for GET '/path/to/your/api':

org.apache.catalina.connector.RequestFacade@58a4ad1c

authorization: Basic dGVzdDE6dGVzdDE=
cookie: JSESSIONID=9E4EBB889BB178E05446104EF2787C2F

    然后您会看到由FilterChainProxy管理的过滤器链并与您的请求相匹配(请注意,根据您的应用设置,可能还有其他过滤器链 - 日志显示匹配的链,可能不是你期望的那个):

    Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  CsrfFilter
  LogoutFilter
  BasicAuthenticationFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]

    然后日志中会出现很多DEBUG条消息。请特别注意围绕BasicAuthenticationFilter

    创建的消息 
    2017-10-07 14:42:21.644 DEBUG 56071 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : /pat/to/your/api at position 6 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2017-10-07 14:42:21.645 DEBUG 56071 --- [nio-8080-exec-2] o.s.s.w.a.www.BasicAuthenticationFilter  : Basic Authentication Authorization header found for user 'test1'
2017-10-07 14:42:21.645 DEBUG 56071 --- [nio-8080-exec-2] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2017-10-07 14:42:21.647 DEBUG 56071 --- [nio-8080-exec-2] o.s.s.w.a.www.BasicAuthenticationFilter  : Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@8fc16c08: Principal: org.springframework.security.core.userdetails.User@6924ddf: Username: test1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_superAdminRole; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 9E4EBB889BB178E05446104EF2787C2F; Granted Authorities: ROLE_superAdminRole
2

    还应该输出成功授权消息的FilterSecurityInterceptor

    2017-10-07 14:42:21.649 DEBUG 56071 --- [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@8fc16c08: Principal: org.springframework.security.core.userdetails.User@6924ddf: Username: test1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_superAdminRole; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 9E4EBB889BB178E05446104EF2787C2F; Granted Authorities: ROLE_superAdminRole
2017-10-07 14:42:21.649 DEBUG 56071 --- [nio-8080-exec-2] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1ca8b2d, returned: 1
2017-10-07 14:42:21.649 DEBUG 56071 --- [nio-8080-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor    : Authorization successful

    进一步采取所有这些细节方法: - )

相关问题
最新问题