我正在处理一个实现了Spring安全性但没有启用Web安全性的旧项目,这使得所有WS都可以访问。 (是的:/)
我启用了Web安全性,并在内存用户中使用并成功连接了它。问题是当我与邮递员进行测试时,在成功请求后,我更改了邮递员中的密码,但仍然可以使用!
要获得更多说明,情况是这样的:
send request with user:user -> response: 200 Ok
send request with user:wrongpswd -> response: 200 Ok
send request with wronguser:user -> response: 401 unauthorized
send request with user:wrongpswd -> response: 401 unauthorized
send request with user:user -> response: 200 Ok
send request with user:wrongpswd -> response: 200 Ok
因此它会检查密码,但通过密码时不会。我在寻找拦截器,但没有找到。
这是我的配置类:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("user").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().authorizeRequests()
.antMatchers("/**").authenticated()
.and().csrf().disable();
}
}