我正在使用Spring应用程序。在浏览器上一切都很好。我可以使用现有用户登录,只需要提供我的用户名和密码即可。我还可以注册一个新用户,然后再使用它登录。
我还有一些可以调用的REST端点。我没有手动定义这些端点。它们是自动创建的,因为我使用的是spring-boot-starter-data-rest依赖项。
REST请求的URL类似于http://localhost:8182/api/v1/recipes。
我正在尝试使用邮递员获得食谱列表。我想收到一条错误消息,例如“ 403 Forbidden”或类似的消息,因为我没有提供任何凭据。相反,我收到了登录页面的HTML代码和状态代码“ 200 OK”。
在我提供用户名和密码作为请求标头之后,这也适用(也许我需要使用另一种方式来提供凭据)
user:user
password:password
以下列表包含一些代码片段,以显示我在项目中编写的与应用程序安全性有关的所有内容:
第一段代码代表了我项目中的SecurityConfig类:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private UserService userService;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
auth.userDetailsService(userService).passwordEncoder(User.PASSWORD_ENCODER);
}
@Override
public void configure(WebSecurity web) throws Exception{
web.ignoring().antMatchers("/css/**");
web.ignoring().antMatchers("/images/**");
web.ignoring().antMatchers("/js/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception{
http.authorizeRequests()
.antMatchers("/sign-up").permitAll()
.anyRequest()
.hasRole("USER")
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.successHandler(loginSuccessHandler())
.failureHandler(loginFailureHandler())
.and()
.logout()
.permitAll()
.logoutSuccessUrl("/login")
.and()
.csrf().disable();
}
public AuthenticationSuccessHandler loginSuccessHandler(){
return (request, response, authentication) ->{
response.sendRedirect("/recipes/");
};
}
public AuthenticationFailureHandler loginFailureHandler(){
return (request, response, exception) ->{
request.getSession().setAttribute("flash",
new FlashMessage("Incorrect username and/or password. Try again.",
FlashMessage.Status.FAILURE));
response.sendRedirect("/login");
};
}
@Bean
public EvaluationContextExtension securityExtension(){
return new EvaluationContextExtensionSupport() {
@Override
public String getExtensionId() {
return "security";
}
@Override
public Object getRootObject(){
Authentication authentication =
SecurityContextHolder.getContext().getAuthentication();
return new SecurityExpressionRoot(authentication) {
};
}
};
}
}
第二个是User实体类:
@Entity
public class User implements UserDetails{
public static final PasswordEncoder PASSWORD_ENCODER =
new BCryptPasswordEncoder();
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
@NotNull
@Column(unique = true)
@Size(min = 2, max = 20)
private String username;
@NotNull
@Column(length = 100)
@JsonIgnore
private String password;
@NotNull
@Column(length = 100)
@JsonIgnore
private String matchingPassword;
@Column(nullable = false)
private boolean enabled;
@OneToOne
@JoinColumn(name = "role_id")
@JsonIgnore
private Role role;
@ManyToMany(targetEntity = Recipe.class, fetch = FetchType.EAGER)
@JoinTable(name = "users_favorite_recipes",
joinColumns = @JoinColumn(name="user_id"),
inverseJoinColumns = @JoinColumn(name = "recipe_id"))
private List<Recipe> favoritedRecipes = new ArrayList<>();
@JsonIgnore
@OneToMany(mappedBy = "user", cascade = CascadeType.ALL)
private List<Recipe> ownedRecipes = new ArrayList<>();
//constructor ...
//getters and setters ...
public void encryptPasswords(){
password = PASSWORD_ENCODER.encode(password);
matchingPassword = PASSWORD_ENCODER.encode(matchingPassword);
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
List<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority(role.getName()));
return authorities;
}
@Override
public String getPassword() {
return password;
}
@Override
public String getUsername() {
return username;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return enabled;
}
}
第三个代码段表示扩展了 UserDetailsService:
public interface UserService extends UserDetailsService{
UserDetails loadUserByUsername(String username);
User findByUsername(String username);
User registerNewUser(String username, boolean enabled, String password, String matchingPassword);
void save(User user);
List<User> findAll();
}
第四个也是最后一个代码段是先前代码的实现 界面(UserService):
@Component
@ComponentScan
public class UserServiceImpl implements UserService{
@Autowired
private UserDao userDao;
@Autowired
private RoleDao roleDao;
@Override
public User findByUsername(String username) {
User user = userDao.findByUsername(username);
Hibernate.initialize(user.getFavoritedRecipes());
return user;
}
@Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException{
User user = userDao.findByUsername(username);
if(user == null){
throw new UsernameNotFoundException(
username + " was not found"
);
}
return user;
}
@Override
public void save(User user) {
userDao.save(user);
}
@Override
public User registerNewUser(String username, boolean enabled, String password, String matchingPassword) {
return userDao.save(new User(username, enabled, password, matchingPassword));
}
@Override
public List<User> findAll() {
return userDao.findAll();
}
}
在这种情况下,我必须修改什么才能获得功能性的REST API授权?
答案 0 :(得分:0)
据我了解,您拥有一个 RESTful API (没有 UI ),如果是,则可以更新 SecurityConfig #configure(HttpSecurity http)方法替换为:
@Override
protected void configure(HttpSecurity http) throws Exception{
http.authorizeRequests()
.antMatchers("/sign-up").permitAll()
.anyRequest()
.hasRole("USER")
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.successHandler(loginSuccessHandler())
.failureHandler(loginFailureHandler())
.and()
.logout()
.permitAll()
.logoutSuccessUrl("/login")
.and()
.csrf().disable();
}
通过此:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint((request, response, exc) ->
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "You are not authorized to access this resource."))
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
// Array of String that contain's all endpoints you want secure
.antMatchers(ENDPOINTS_TO_SECURE).access("hasAnyRole('ROLE_USER')")
// Array of String that contain's all endpoints you want to permit
.antMatchers(WHITE_LIST).permitAll()
.anyRequest()
.authenticated();
// disable page caching
http.headers().cacheControl();
}
答案 1 :(得分:0)
您需要配置自己的身份验证入口点,要获取403条消息,可以使用Http403ForbiddenEntryPoint。
示例:。
@RestController
public class Controller {
@GetMapping("/test")
public String test() {
return "test";
}
}
添加.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()):
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception{
http.authorizeRequests()
.antMatchers("/sign-up").permitAll()
.anyRequest()
.hasRole("USER")
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.logoutSuccessUrl("/login")
.and()
.csrf().disable()
.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint());
}
}
现在,当我尝试访问http://localhost:8080/test时,会收到403 Access Denied消息。