Spring 引导 ServeletInitializer 和 Spring 安全
Spring boot ServeletInitializer and Spring Security
我有2个配置文件。一个是 Spring 引导应用程序
@SpringBootApplication
public class Application extends SpringBootServletInitializer {
public static void main(String[] args) {
ApplicationContext ctx = SpringApplication.run(Application.class, args);
}
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.sources(Application.class);
}
...
}
和 Spring 安全配置。看来它不工作。每当我访问 localhost:8080 时,它都会询问我的用户名和密码。我相信我在 auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")
中配置了
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
但是它显示了无效的凭据,有没有办法验证这个?
编辑:我正在尝试将此 xml 配置转换为基于 JavaConfig 但仍然无济于事。
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
<context:component-scan base-package="org.app.genesis.client.auth"/>
<http pattern="/resources/**" security="none"/>
<http pattern="/index.jsp" security="none"/>
<http>
<intercept-url pattern="/api/*" requires-channel="https"/>
<!--TODO Add RESOURCE PATTERN checker -->
<form-login login-page="/index.jsp" default-target-url="/dashboard"/>
<logout />
</http>
<!-- Test Login values -->
<authentication-manager>
<!--use inMemoryUserDetailsService for faux auth -->
<authentication-provider ref="customAuthenticationProvider"/>
</authentication-manager>
</beans:beans>
这是我的新 SecurityConfig
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private TenantDetailsService tenantUserDetailsService;
@Autowired
private PasswordEncryptionService passwordEncoder;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(tenantUserDetailsService).passwordEncoder(passwordEncoder);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.formLogin().loginPage("/index.jsp").defaultSuccessUrl("/dashboard");
}
}
安全-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
<context:component-scan base-package="org.brightworks.genesis.client.auth"/>
<http pattern="/resources/**" security="none"/>
<http pattern="/index.jsp" security="none"/>
<http>
<intercept-url pattern="/api/*" requires-channel="https"/>
<!--TODO Add RESOURCE PATTERN checker -->
<form-login login-page="/index.jsp" default-target-url="/dashboard"/>
<logout />
</http>
<!-- Test Login values -->
<authentication-manager>
<!--use inMemoryUserDetailsService for faux auth -->
<authentication-provider ref="customAuthenticationProvider"/>
</authentication-manager>
</beans:beans>
使用 auth.inMemoryAuthentication() 您只需定义一个用户及其凭据。
如果你想使用它们,你必须告诉 Spring Boot 不要创建它自己的默认值。 Spring Boot 的默认值是 "user" 以及当您 运行 应用程序时它在控制台中显示的密码。
您在 application.properties 文件中设置自己的默认凭据,如下所示:
security.user.name=user
security.user.password=password
management.security.role=USER
如果您想使用自己的身份验证版本。首先禁用 spring 启动 spring 安全配置。将此添加到您的 application.properties.
security.basic.enabled=false
并将您的 http 配置更改为此。
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**")
.hasAnyRole("ROLE1","ROLE2")
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/j_spring_security_check")
.defaultSuccessUrl("/product/search", true)
.permitAll()
.and()
.csrf()
.disable()
.logout()
.logoutUrl("/j_spring_security_logout")
.logoutSuccessUrl("/login");
}
将上述配置与此登录表单匹配
<form class="form-signin"name="f" action="${pageContext.request.contextPath}/j_spring_security_check" method="POST">
<fieldset>
<input class="form-control form-group" type="text" name="username" placeholder="Username">
<input class="form-control" type="password" name="password" placeholder="Password" >
<a class="forgot pull-right" href="#">Forgot password?</a>
<button name="submit" class="btn btn-block btn-primary" type="submit">Sign in</button>
</fieldset>
</form>
假设页面登录页面是“/login”,您所说的 POST 请求是 j_spring_security_check。因此,loginProcessingUrl 设置为
j_spring_security_check
我有2个配置文件。一个是 Spring 引导应用程序
@SpringBootApplication
public class Application extends SpringBootServletInitializer {
public static void main(String[] args) {
ApplicationContext ctx = SpringApplication.run(Application.class, args);
}
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.sources(Application.class);
}
...
}
和 Spring 安全配置。看来它不工作。每当我访问 localhost:8080 时,它都会询问我的用户名和密码。我相信我在 auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
但是它显示了无效的凭据,有没有办法验证这个?
编辑:我正在尝试将此 xml 配置转换为基于 JavaConfig 但仍然无济于事。
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
<context:component-scan base-package="org.app.genesis.client.auth"/>
<http pattern="/resources/**" security="none"/>
<http pattern="/index.jsp" security="none"/>
<http>
<intercept-url pattern="/api/*" requires-channel="https"/>
<!--TODO Add RESOURCE PATTERN checker -->
<form-login login-page="/index.jsp" default-target-url="/dashboard"/>
<logout />
</http>
<!-- Test Login values -->
<authentication-manager>
<!--use inMemoryUserDetailsService for faux auth -->
<authentication-provider ref="customAuthenticationProvider"/>
</authentication-manager>
</beans:beans>
这是我的新 SecurityConfig
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private TenantDetailsService tenantUserDetailsService;
@Autowired
private PasswordEncryptionService passwordEncoder;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(tenantUserDetailsService).passwordEncoder(passwordEncoder);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.formLogin().loginPage("/index.jsp").defaultSuccessUrl("/dashboard");
}
}
安全-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
<context:component-scan base-package="org.brightworks.genesis.client.auth"/>
<http pattern="/resources/**" security="none"/>
<http pattern="/index.jsp" security="none"/>
<http>
<intercept-url pattern="/api/*" requires-channel="https"/>
<!--TODO Add RESOURCE PATTERN checker -->
<form-login login-page="/index.jsp" default-target-url="/dashboard"/>
<logout />
</http>
<!-- Test Login values -->
<authentication-manager>
<!--use inMemoryUserDetailsService for faux auth -->
<authentication-provider ref="customAuthenticationProvider"/>
</authentication-manager>
</beans:beans>
使用 auth.inMemoryAuthentication() 您只需定义一个用户及其凭据。 如果你想使用它们,你必须告诉 Spring Boot 不要创建它自己的默认值。 Spring Boot 的默认值是 "user" 以及当您 运行 应用程序时它在控制台中显示的密码。 您在 application.properties 文件中设置自己的默认凭据,如下所示:
security.user.name=user
security.user.password=password
management.security.role=USER
如果您想使用自己的身份验证版本。首先禁用 spring 启动 spring 安全配置。将此添加到您的 application.properties.
security.basic.enabled=false
并将您的 http 配置更改为此。
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**")
.hasAnyRole("ROLE1","ROLE2")
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/j_spring_security_check")
.defaultSuccessUrl("/product/search", true)
.permitAll()
.and()
.csrf()
.disable()
.logout()
.logoutUrl("/j_spring_security_logout")
.logoutSuccessUrl("/login");
}
将上述配置与此登录表单匹配
<form class="form-signin"name="f" action="${pageContext.request.contextPath}/j_spring_security_check" method="POST">
<fieldset>
<input class="form-control form-group" type="text" name="username" placeholder="Username">
<input class="form-control" type="password" name="password" placeholder="Password" >
<a class="forgot pull-right" href="#">Forgot password?</a>
<button name="submit" class="btn btn-block btn-primary" type="submit">Sign in</button>
</fieldset>
</form>
假设页面登录页面是“/login”,您所说的 POST 请求是 j_spring_security_check。因此,loginProcessingUrl 设置为
j_spring_security_check