SpringSecurity提供了错误401错误的凭据

时间:2019-02-25 10:54:34

标签: spring spring-boot spring-mvc spring-security spring-boot-actuator

我是Spring Security的新手,正在创建一个简单的应用程序来检查身份验证和授权。我正在使用内存数据库。即使当我提供正确的登录凭据时,我也会收到错误401“错误凭据”错误。 另外,我在其他一些端点使用了allowAll()函数,但在这些端点上也得到了登录提示。我尝试清除浏览器历史记录和缓存也没有成功。请帮忙。我正在附加代码。

SecurityConfig.java

    package com.example.demo;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    //Authentication using In Memory Database
    public void configureGlobal(AuthenticationManagerBuilder authenticationManagerBuilder)throws Exception{
        authenticationManagerBuilder.inMemoryAuthentication()
        .withUser("user").password("{noop}pass123").authorities("ROLE_USER")
        .and()
        .withUser("admin").password("{noop}pass123").authorities("ROLE_USER","ROLE_ADMIN");        
    }

    //Authorization
    @Override //Overriding configure to use HttpSecurity for web based HTTP requests
    public void configure(HttpSecurity httpSecurity)throws Exception{
        httpSecurity.
        authorizeRequests()
        .antMatchers("/protectedbyuserrole*").hasRole("USER")
        .antMatchers("/protectedbyadminrole*").hasRole("ADMIN")
        .antMatchers("/","/notprotected").permitAll()
        .anyRequest().authenticated()
        .and()
        .httpBasic();    
    }
}

SpringSecurityApplication.Java

    package com.example.demo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Import;

@SpringBootApplication
@ComponentScan({"com.example.demo","controller"})
@Import({SecurityConfig.class})
public class SpringSecurityApplication {

    public static void main(String[] args) {
        SpringApplication.run(SpringSecurityApplication.class, args);
    }
}

TestSecurityController.Java

    package com.example.controller;

import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class TestSecurityController {
    @RequestMapping("/")
    public String Hello() {
        return "Hello World!! ";
    }

    @RequestMapping("/notprotected")
    public String HelloAgain() {
        return "Hello from a non protected user!! ";
    }

    @RequestMapping("/protectedbyuserrole")
    public String HelloUser() {
        return "Hello User Role!! ";
    }

    @RequestMapping("/protectedbyadminrole")
    public String HelloAdmin() {
        return "Hello Admin Role!! ";
    }
}

POM.xml

    <?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>1.5.19.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.example</groupId>
    <artifactId>SpringSecurity-1</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>SpringSecurity-1</name>
    <description>SpringSecurity for Authentication and Authorization</description>

    <properties>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

查询

也请让我知道如何使用邮递员中使用的简单密码。我应该使用{noop}还是只写.password(“ pass123”)之类的密码。

我应该在.antmatchers()中使用单个*还是**星号

我也使用Postman和Firefox进行了尝试。到处都是同样的错误。 POSTMAN SCREENSHOT

1 个答案:

答案 0 :(得分:1)

在RequestMapping中指定特定方法(GET,POST等)是您可能需要遵循的良好做法。

我分享了我过去所做的一个基本示例。 您可以在浏览器中尝试使用用户名作为myusername和密码作为mypassword 如果您仍然遇到问题,请告诉我您的邮递员屏幕截图

  @Override
        public void configure(AuthenticationManagerBuilder auth) 
          throws Exception {

            auth.inMemoryAuthentication()
                .withUser("myusername")
                .password("mypassword")
                .roles("USER");
        }

@Override
        protected void configure(HttpSecurity http) throws Exception{

             http
             .csrf().disable()
             .authorizeRequests().antMatchers("/login","/home","/failure").permitAll()
             .antMatchers(HttpMethod.POST,"/admin/**").hasRole("ADMIN") 
             .antMatchers(HttpMethod.PUT,"/admin/**").hasRole("ADMIN")
             .antMatchers(HttpMethod.GET,"/admin/**").hasRole("ADMIN")
             .antMatchers(HttpMethod.GET,"/user/**").hasAnyRole("ADMIN","USER")
             .antMatchers(HttpMethod.POST,"/user/**").hasAnyRole("ADMIN","USER")
             .anyRequest().authenticated();

    }

编辑

映射使用以下规则匹配URL:

  • ?匹配一个字符

  • 匹配零个或多个字符

  • **匹配路径中的零个或多个目录

{spring:[a-z] +}匹配正则表达式[a-z] +作为路径变量“ spring”

Refer Path Matcher Here

 @RequestMapping(value="/protectedbyuser",method=RequestMethod.GET)
        public String Hello() {
            return "Hello Protected By User!! ";
        }