基本身份验证不适用于POST端点

Question

我已经建立了一个Web服务器，我正在尝试使用密码保护。我正在尝试使用Spring Boot设置基本身份验证。到目前为止，这是我的配置文件：

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

   @Override
   protected void configure(HttpSecurity http) throws Exception {
      http.authorizeRequests()
         .antMatchers("/", "/v1/occupancy/*")
         .permitAll()
         .anyRequest()
         .authenticated()
         .and()
         .httpBasic();
   }
}

这可以按预期工作并保护我的GET端点之一，使我可以进行身份​​验证。

但是，对于POST端点，这不起作用。端点看起来像这样：

@RequestMapping(path = "/v1/admin/repository")
public class RepositoryOptionsController {

    private final EstablishmentOptionsRepositoryService establishmentOptionsRepositoryService;
    private final SubAreaOptionsRepositoryService subAreaOptionsRepositoryService;
@PostMapping("/establishment/options")
public ResponseEntity<String> postEstablishmentOption(@RequestBody OptionsRequestDto body) {

当我这样做

curl -X POST "http://localhost:8080/v1/admin/repository/establishment/options" -u root -v -d "{...}"

我明白了

    Enter host password for user 'root':
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Basic with user 'root'
> POST /v1/admin/repository/establishment/options HTTP/1.1
> Host: localhost:8080
> Authorization: Basic cm9vdDpyb290
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 271
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 271 out of 271 bytes
< HTTP/1.1 401
< Set-Cookie: JSESSIONID=6E1CBD875597C83E6DEB794986050631; Path=/; HttpOnly
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Realm"
< Content-Length: 0
< Date: Sun, 27 Sep 2020 15:29:13 GMT
<
* Connection #0 to host localhost left intact
* Closing connection 0

相同的用户/通行证组合在GET上没有问题。怎么办？

Answer 1

配置需要更多步骤。

1. 配置字符串安全性

   @配置 @EnableWebSecurity @EnableTransactionManagement 公共类SecurityConfiguration扩展了WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailServiceImpl userService;
   
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
        auth.userDetailsService(userService);
    }
   
   
   
   
    @Override
    protected void configure(HttpSecurity http) throws Exception {
   
        http.authorizeRequests()
                .antMatchers("/webjars/**", "/styles/**",  "/vendors/**", "/node_modules/**",  "/app/**", 
                        "/assets/**", "/api/channel/**", "/jobs/**").permitAll()
                .anyRequest().authenticated()
            .and()
                .formLogin().loginPage("/login").permitAll()
            .and()
                .logout().logoutSuccessUrl("/login?logout").permitAll()
            .and()
                .csrf().disable();
    }
   

   }

2. 实现UserDetailsS​​ervice @服务 公共类UserDetailServiceImpl实现UserDetailsS​​ervice { @Autowired UtentiRepostitory utentiRepository;

    @Override
    public UserDetails loadUserByUsername(String nomeUtente) throws UsernameNotFoundException {
        try {
   
            String userId = nomeUtente;
   
            Utente utente = utentiRepository.findById(userId).get();
   
            UserDetailsImp user = new UserDetailsImp(utente);
            user.username = nomeUtente;
   
            user.password = utente.getPasswd();
   
            return user;
        } catch (Exception e) {
            throw new UsernameNotFoundException(nomeUtente);
        }
    }
   

   } 您在Spring Security配置中引用的此服务包含用于生成实现UserDetails接口的对象的所有角色

3. 实现UserDetails界面

   公共类UserDetailsImp实现UserDetails {

    /**
     * 
     */
    private static final long serialVersionUID = 1L;
    String password;
    String username;
    public Utente utente;
   
    public UserDetailsImp(Utente utente) {
        this.utente = utente;
    }
   
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        List<GrantedAuthority> res = new ArrayList<>();
        res.add(new SimpleGrantedAuthority("ROLE_MENU"));
        return res;
    }
   
    public String getPassword() {
        return password;
    }
   
    public void setPassword(String password) {
        this.password = password;
    }
   
    public String getUsername() {
        return username;
    }
   
    public void setUsername(String username) {
        this.username = username;
    }
   
   
    @Override
    public boolean isAccountNonExpired() {
        return true;
    }
   
    @Override
    public boolean isAccountNonLocked() {
        return true;
    }
   
    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }
   
    @Override
    public boolean isEnabled() {
        return true;
    }
   
    public String getDenominazione() {
        return utente.getDenominazione();
    }
   
   
   
    public Utente getUtente() {
        return utente;
    }
   
    public void setUtente(Utente utente) {
        this.utente = utente;
    }
   

   }

就我而言 @Autowired UtentiRepostitory utentiRepository； 是一个从用户数据库读取数据的存储库，但是您可以使用任何喜欢的机制。现在设置了Spring安全性。

然后您需要在登录页面中添加一个表单

<form class="form-horizontal" id="loginForm" th:action="@{/login}" method="post">
    <input type="text" name="username">
    <input type="password" name="password">
</form>

不要急于添加百里叶springsecurity依赖项。 希望对您有帮助

Answer 2

原因是httpBasic和formLogin的CSRF防御默认情况下处于打开状态。由于您的POST不包含CSRF令牌，因此Spring Security会拒绝它。

通过更改配置以允许/error端点，您可以对此有更好的了解：

http
    .authorizeRequests()
        .antMatchers("/", "/v1/occupancy/**", "/error").permitAll()
    // ...

然后，当您提交POST时，您会看到与CSRF令牌拒绝相关的403。

如果您的REST API不是前端的，则可以关闭CSRF。一种方法是禁用适当的端点：

http
  .authorizeRequests()
    // ...
    .and()
  .csrf()
    .ignoringAntMatchers("/v1/admin/repository/establishment/options")
    // ...

如果是正面的，则应该做的是prepare your front-end to hand the CSRF token back to the request。