Spring Security:测试和理解REST身份validation
-
我正在使用Spring-MVC,我在其中使用Spring-Security进行登录/注销和会话管理。 在普通浏览器中使用时效果很好。 我正在尝试为应用程序集成REST身份validation,我在其中参考了答案 。 我做了一些修改,以便我也可以在浏览器中使用它,也可以在REST上使用它。
- 现在,代码运行得很好,但我不知道为什么,而且如果我想通过RESTvalidation用户,我如何使用此代码实现? 不幸的是,没有错误要求解决方案。
任何人都可以告诉我这段代码,我应该通过REST发送哪些数据进行身份validation并访问后续的@Secured服务。 你能帮忙的话,我会很高兴。 非常感谢。
Security-application-context.xml:
<!----> AuthenticationFilter:
public class AuthenticationFilter extends UsernamePasswordAuthenticationFilter{ @Override protected boolean requiresAuthentication(HttpServletRequest request,HttpServletResponse response){ return (StringUtils.hasText(obtainUsername(request)) && StringUtils.hasText(obtainPassword(request))); } @Override protected void successfulAuthentication(HttpServletRequest request,HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException{ System.out.println("Successfule authenticaiton"); super.successfulAuthentication(request,response,chain,authResult); chain.doFilter(request,response); } }
AuthenticationSuccessHandler:
public class AuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler{ @PostConstruct public void afterPropertiesSet(){ setRedirectStrategy(new NoRedirectStrategy()); } protected class NoRedirectStrategy implements RedirectStrategy{ @Override public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException { // Checking redirection issues } } }
MyLogoutHandler:
public class MyLogoutHandler implements LogoutHandler { @Override public void logout(HttpServletRequest request,HttpServletResponse response,Authentication authentication){ } }
LoginServiceImpl:
@Transactional @Service("userDetailsService") public class LoginServiceImpl implements UserDetailsService{ @Autowired private PersonDAO personDAO; @Autowired private Assembler assembler; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException,DataAccessException { Person person = personDAO.findPersonByUsername(username.toLowerCase()); if(person == null) { throw new UsernameNotFoundException("Wrong username or password");} return assembler.buildUserFromUserEntity(person); } public LoginServiceImpl() { } }
我尝试使用如下的Curl,但每次都得到302。 我想要的是获取cookie,以及取决于身份validation是否成功的不同状态。
akshay@akshay-desktop:~/Downloads/idea136/bin$ curl -i -X POST -d j_username=email@email.de -d j_password=password -c /home/cookies.txt http://localhost:8080/j_spring_security_check HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=7F7B5B7056E75C138E550C1B900FAB4B; Path=/; HttpOnly Location: http://localhost:8080/canvas/list Content-Length: 0 Date: Thu, 26 Mar 2015 15:33:21 GMT akshay@akshay-desktop:~/Downloads/idea136/bin$ curl -i -X POST -d j_username=email@email.de -d j_password=password -c /home/cookies.txt http://localhost:8080/j_spring_security_check HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=BB6ACF38F20FE962924103DF5F419A55; Path=/; HttpOnly Location: http://localhost:8080/canvas/list Content-Length: 0 Date: Thu, 26 Mar 2015 15:34:02 GMT
如果还有其他需要,请告诉我。 非常感谢。
获得302并保存cookie后尝试此Curl命令
curl -i –header“Accept:application / json”-X GET -b /home/cookies.txt http:// localhost:8080 /
希望这可以帮助
您可以使用基于表单的登录来使用浏览器登录,使用http基本身份validation来登录REST端点。 对于xml配置,分别是和。
Spring文档也一样
@我们是博格? 您是否收到REST URL的http 401挑战? 在浏览器上尝试url并validation是否看到弹出窗口要求您输入登录ID和密码?
如果您正在使用Java客户端进行测试,则可以在客户端代码中设置基本auth标头,如下所示。
CredentialsProvider provider = new BasicCredentialsProvider(); UsernamePasswordCredentials credentials = new UsernamePasswordCredentials("user1", "user1Pass"); provider.setCredentials(AuthScope.ANY, credentials); HttpClient client = HttpClientBuilder.create().setDefaultCredentialsProvider(provider).build(); HttpResponse response = client.execute(new HttpGet(URL_SECURED_BY_BASIC_AUTHENTICATION)); int statusCode = response.getStatusLine().getStatusCode(); assertThat(statusCode, equalTo(HttpStatus.SC_OK));