0

I am using spring basic authentication with the following settings in my security xml: 

<http use-expressions="true" create-session="never" >
        <intercept-url pattern="/**" method="GET" access="isAuthenticated()" />
        <intercept-url pattern="/**" method="POST" access="isAuthenticated()" />
        <intercept-url pattern="/**" method="PUT" access="isAuthenticated()" />
        <intercept-url pattern="/**" method="DELETE" access="isAuthenticated()" />
        <http-basic />
    </http>

If authentication fails, the browser pop ups a prompt window to renter the user name and password. Is there any way to make that prompt not pop up at all ?

4

3 回答 3

1

最有可能用于身份验证失败的页面也受到保护。您可以尝试手动将失败页面设置为不受保护的页面,例如

 <access-denied-handler error-page="/login.jsp"/>

和...一起

 <intercept-url pattern="/*login*" access="hasRole('ROLE_ANONYMOUS')"/>

或者

<intercept-url pattern='/*login*' filters='none'/>

或者您可以使用 auto-config='true'http 元素的属性来为您解决此问题。在此处查看更多信息

于 2012-04-27T09:55:39.340 回答
0

对于浏览器中的 REST API 抛出登录对话框,我也遇到了同样的问题。如您所说,当浏览器将响应标头视为

WWW-Authenticate: Basic realm="Spring Security Application

它将提示一个基本的身份验证对话框。对于基于 REST API 的登录,这并不理想。这是我的做法。定义一个自定义身份验证入口点,并在开始时 将标题设置为“FormBased”

response.setHeader("WWW-Authenticate", "FormBased");

application-context.xml 配置如下

<security:http create-session="never" entry-point-ref="authenticationEntryPoint" authentication-manager-ref="authenticationManager">
    <security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
    <security:intercept-url pattern="/api/**" access="ROLE_USER" />
</security:http>

<bean id="authenticationEntryPoint" class="com.tito.demo.workflow.security.RestAuthenticationEntryPoint">
</bean>

下面的自定义入口点类。

@Component
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {

    private static Logger logger = Logger.getLogger(RestAuthenticationEntryPoint.class);

    public void commence( HttpServletRequest request, HttpServletResponse response,
                          AuthenticationException authException ) throws IOException {
        logger.debug("<--- Inside authentication entry point --->");
        // this is very important for a REST based API login. 
        // WWW-Authenticate header should be set as FormBased , else browser will show login dialog with realm
        response.setHeader("WWW-Authenticate", "FormBased");
        response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
    }


}

注意:我用的是spring 3.2.5.Release

现在,当从像 POSTMAN 这样的 restclient 访问 rest API 时,服务器将返回 401 Unauthorized。

于 2014-09-26T15:42:43.953 回答
0

我遇到了同样的问题,我所做的是RequestMatcher在我的资源服务器中创建一个自定义。这可以防止Outh2发送WWW-Authenticate header.

例子:

 @Override

    public void configure(HttpSecurity http) throws Exception {
         http.requestMatcher(new OAuthRequestedMatcher())
                .authorizeRequests()
                 .antMatchers(HttpMethod.OPTIONS).permitAll()
                    .anyRequest().authenticated();
    }

    private static class OAuthRequestedMatcher implements RequestMatcher {
        public boolean matches(HttpServletRequest request) {
            String auth = request.getHeader("Authorization");
            boolean haveOauth2Token = (auth != null) && auth.startsWith("Bearer");
            boolean haveAccessToken = request.getParameter("access_token")!=null;
   return haveOauth2Token || haveAccessToken;
        }
    }
于 2017-07-21T21:10:56.807 回答