我要做的是登录用户并取回令牌(这部分有效)。然后我想在每次访问 API 路径时验证这个令牌。我显然做错了什么,也许我不完全理解 Spring Security Rest 插件实际上应该做什么,但每当我调用 API 路径并发送令牌时,我得到的只是 Spring Security 登录页面的 html。我正在使用 Boomerang Soap 和 Rest 客户端。这是我要发送的内容。
登录请求(路径:)http://localhost:7070/backend3/api/login
:
{
"username": "test@user.com",
"password": "1234"
}
登录响应:
{
"username": "test@user.com",
"roles": [
"ROLE_USER"
],
"token_type": "Bearer",
"access_token": "eyJhbGciOiJIU.", // shortened token to conserve space
"expires_in": 3600,
"refresh_token": "eyJhbGciOiJIU." // shortened token to conserve space
}
很明显,这部分工作正常。然后我尝试使用从上述响应中收到的令牌来访问我的 API。请记住,在我的 Spring Security 规则下的配置中,我有'/external/**':['ROLE_USER']
. 如果我将其更改为['permitAll']
然后我可以访问没有问题,但弹簧安全实际上是无用的。
API 请求(路径http://localhost:7070/backend3/external/user/info
:)
{
"access_token": "eyJhbGciOiJIU" // shortened token to conserve space
}
然后返回标准登录页面的 html。我试过发送各种组合的东西,比如access_token
, username
, token_type
, roles
. 我什至尝试过不同格式的access_token
; "Authorization":"Bearer eyJhbGciOiJIU"
我在文档上找到但没有任何效果。
有人可以向我解释如何解决这个问题,因为文档假设了很多我显然没有的先验知识。我将在下面发布我的 Config 和 UrlMappings 文件(的相关部分)以进一步说明。如果我需要提供更多信息,请告诉我,我真的需要让它工作,因为我已经坚持了 2 周。谢谢
配置:
// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.crastino.domain.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.crastino.domain.UserRole'
grails.plugin.springsecurity.authority.className = 'com.crastino.domain.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/': ['permitAll'],
'/index': ['permitAll'],
'/index.gsp': ['permitAll'],
'/assets/**': ['permitAll'],
'/**/js/**': ['permitAll'],
'/**/css/**': ['permitAll'],
'/**/images/**': ['permitAll'],
'/**/favicon.ico': ['permitAll'],
'/external/**': ['ROLE_USER']
]
grails.plugin.springsecurity.filterChain.chainMap = [
'/auth/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter', // Stateless chain
'/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter', // Stateless chain
'/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'
]
grails.plugin.springsecurity.rest.login.active=true
grails.plugin.springsecurity.rest.login.endpointUrl='/api/login'
grails.plugin.springsecurity.rest.login.failureStatusCode=401
grails.plugin.springsecurity.rest.login.useJsonCredentials=true
grails.plugin.springsecurity.rest.login.usernamePropertyName='username'
grails.plugin.springsecurity.rest.login.passwordPropertyName='password'
grails.plugin.springsecurity.rest.logout.endpointUrl='/auth/logout'
grails.plugin.springsecurity.rest.token.generation.useSecureRandom=true
grails.plugin.springsecurity.rest.token.generation.useUUID=false
grails.plugin.springsecurity.rest.token.validation.active=true
grails.plugin.springsecurity.rest.token.validation.endpointUrl='/auth/validate'
附言。grails.plugin.springsecurity.filterChain.chainMap
我还尝试通过添加'/external/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'
到数组的末尾来添加我试图访问此部分的路径
网址映射:
group("/external") {
"/user/info" (controller: 'external', action: 'Service_UserInfo')
}