我正在将Spring Boot 1从Spring Boot 2升级到Spring Boot 2,但是我已经停滞了2天。
过去,身份验证在我的React / Spring引导应用程序上可以很好地工作,但是在迁移所有东西之后一切都很好,但是在我的api / authenticate资源上总是获得401(未经授权)。
在进行一些更改后,这里是我的安全配置:
@Override
public void configure(HttpSecurity http) throws Exception {
http.httpBasic()
//.authenticationEntryPoint(authenticationEntryPoint)
.and()
.authorizeRequests()
.antMatchers(PERMIT_ALL_GET_URLS).permitAll()
.antMatchers(HttpMethod.POST, PERMIT_ALL_POST_URLS).permitAll()
.anyRequest().authenticated()
.and()
.logout().clearAuthentication(true)
.logoutRequestMatcher(new AntPathRequestMatcher("/api/logout")).invalidateHttpSession(true).and().csrf()
.requireCsrfProtectionMatcher(new RequestMatcher() {
private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
@Override
public boolean matches(HttpServletRequest request) {
// No CSRF due to public requests
if (stringContainsItemFromList(request.getRequestURI(), PERMIT_ALL_POST_URLS_PATTERN_PREFIX))
return false;
if (Arrays.asList(PERMIT_ALL_POST_URLS).contains(request.getRequestURI()))
return false;
// No CSRF due to allowed methods
if (allowedMethods.matcher(request.getMethod()).matches())
return false;
// CSRF for everything else
return true;
}
}).csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringAntMatchers("/api/external/uploadBulkVerifications/*");
http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
http.headers().xssProtection().xssProtectionEnabled(true);
http.headers().xssProtection().block(false);
http.headers().defaultsDisabled().contentTypeOptions();
http.sessionManagement().maximumSessions(2).expiredUrl("/");
http.addFilterBefore(authenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
我是否缺少某些东西,或者还需要查看authenticate()方法
编辑:
我使用了错误的凭据:
2019-07-02 11:02:13.100 DEBUG 79640 --- [nio-8080-exec-7] o.s.s.w.a.www.BasicAuthenticationFilter : Authentication request for failed: org.springframework.security.authentication.BadCredentialsException: gaca.api.errors.authentication.0001
2019-07-02 11:02:13.100 DEBUG 79640 --- [nio-8080-exec-7] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2019-07-02 11:02:13.100 DEBUG 79640 --- [nio-8080-exec-7] s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.HttpStatusEntryPoint@17b900b4
2019-07-02 11:02:13.101 DEBUG 79640 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2019-07-02 11:02:13.101 DEBUG 79640 --- [nio-8080-exec-7] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
我想知道哪个过滤器阻止了我
凭正确的凭据,我会得到:
2019-07-02 11:07:06.397 DEBUG 79640 --- [nio-8080-exec-3] e.g.c.S.LimitLoginAuthenticationProvider : User account credentials have expired
我不处理任何过期的凭据