2

我是 Spring 和 Spring Security 的新手,我似乎无法正常工作。我正在使用 Spring 安全性保护 Web 服务。当我明确登录到我定义的 URL 时,我得到了适当的响应 - 401、200 等 - 用于安全请求。但是,当我尝试通过 curl 或在标头中发送身份验证的海报测试提供数据的实际 url 时,我无法让它工作。

这是我的 servlet-security.xml 文件:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">

<http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint">
  <intercept-url pattern="/services/schedule/**" access="ROLE_USER, ROLE_ADMIN"/>

  <custom-filter ref="myFilter" position="FORM_LOGIN_FILTER"/>

  <!-- Adds a logout filter to Spring Security filter chain -->
    <logout logout-url="/api/logout" delete-cookies="true" invalidate-session="true"
        success-handler-ref="restLogoutSuccessHandler"/>
</http>

<beans:bean id="myFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
  <beans:property name="authenticationManager" ref="authenticationManager"/>
  <beans:property name="authenticationSuccessHandler" ref="mySuccessHandler"/>
  <beans:property name="filterProcessesUrl" value="/api/login"/>
    <beans:property name="usernameParameter" value="username"/>
    <beans:property name="passwordParameter" value="password"/>
    <beans:property name="postOnly" value="true"/>
 </beans:bean>

 <!-- Configures a custom authentication success handler that returns HTTP status code 200 -->
 <beans:bean id="mySuccessHandler" class="com.touchvision.pilot.security.RestAuthenticationSuccessHandler"/>

 <!-- Configures a custom authentication failure handler that returns HTTP status code 401 -->
 <beans:bean id="restAuthenticationFailureHandler" class="com.touchvision.pilot.security.RestAuthenticationFailureHandler"/>

  <!-- Configures a custom logout success handler that returns HTTP status code 200 -->
  <beans:bean id="restLogoutSuccessHandler" class="com.touchvision.pilot.security.RestLogoutSuccessHandler"/>

<!-- Declare an authentication-manager to use a custom userDetailsService -->
<authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="customUserDetailsService">
                <password-encoder ref="passwordEncoder"/>
        </authentication-provider>
</authentication-manager>

<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>

    <!-- A custom service where Spring will retrieve users and their corresponding access levels  -->
<beans:bean id="customUserDetailsService" class="com.touchvision.pilot.services.CustomUserDetailsService"/>

</beans:beans>

正如我所说,我可以通过将凭据发布到 /api/login 来正常登录。但是,当我尝试使用实际数据请求在标头中发送身份验证时,我收到一条错误消息,提示“此请求需要 HTTP 身份验证”。我正在使用的 curl 命令是:

curl -u admin@touchvision.com:admin123 "http://local.touchvision.com/services/schedule/list"

感谢您的任何帮助。

4

2 回答 2

4

您只UsernamePasswordAuthenticationFilter配置了一个表单登录过滤器 ( ) 来处理在 HTTP POST 请求中传递的表单参数,但服务器端没有任何东西可以处理请求的标头

尝试配置一个BasicAuthenticationFilter将根据标头中传递的信息对请求进行身份验证的方法。

于 2013-02-21T15:36:41.300 回答
0

您是否尝试过在用户 ID 中使用 %40 而不是 @ 符号。此外,根据您的 CURL 版本,您可能需要尝试在整个 -u 参数周围加上引号。

于 2013-02-21T15:27:05.970 回答