spring安全吃angularjs POST请求
使用spring security自定义登录表单时,我从UI传递的参数在HttpServletRequest中无法访问。
class StatelessLoginFilter extends AbstractAuthenticationProcessingFilter { private final TokenAuthenticationService tokenAuthenticationService; private final CustomJDBCDaoImpl userDetailsService; protected StatelessLoginFilter(String urlMapping, TokenAuthenticationService tokenAuthenticationService, CustomJDBCDaoImpl userDetailsService, AuthenticationManager authManager) { super(new AntPathRequestMatcher(urlMapping)); this.userDetailsService = userDetailsService; this.tokenAuthenticationService = tokenAuthenticationService; setAuthenticationManager(authManager); } @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException { final UsernamePasswordAuthenticationToken loginToken = new UsernamePasswordAuthenticationToken( request.getAttribute("email").toString(), request.getAttribute("password").toString()); return getAuthenticationManager().authenticate(loginToken); } @Override protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication) throws IOException, ServletException { final UserDetails authenticatedUser = userDetailsService.loadUserByUsername(authentication.getName()); final UserAuthentication userAuthentication = new UserAuthentication(authenticatedUser); tokenAuthenticationService.addAuthentication(response, userAuthentication); SecurityContextHolder.getContext().setAuthentication(userAuthentication); } }
在AttemptAuthentication方法请求中没有使用以下代码获取我从POST请求传递的属性:
var request = $http.post('/verifyUser', {email: 'user', password: 'user',_csrf: $cookies['XSRF-TOKEN']})
我尝试使用调试器控制台跟踪它,发现有效负载填充了我转发的元素。
{ “电子邮件”: “用户”, “密码”: “用户”, “_ CSRF”: “f1d88246-28a0-4e64-A988-def4cafa5004”}
我的安全配置是:
http .exceptionHandling().and() .anonymous().and() .servletApi().and() .headers().cacheControl().and() .authorizeRequests() //allow anonymous resource requests .antMatchers("/").permitAll() //allow anonymous POSTs to login .antMatchers(HttpMethod.POST, "/verifyUser").permitAll() .and() .formLogin().loginPage("/signin") .permitAll() .and() .addFilterBefore(new StatelessLoginFilter("/verifyUser", new TokenAuthenticationService("456abc"), new CustomJDBCDaoImpl() , authenticationManager()), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(new StatelessAuthenticationFilter(new TokenAuthenticationService("456abc")), UsernamePasswordAuthenticationFilter.class).httpBasic() .and().csrf().disable().addFilterBefore(new CSRFFilter(), CsrfFilter.class);
编辑#1
我也尝试使用getParameter(“email”)而不是getAttribute(“email”),但此时整个参数映射也是空的。
编辑#2:添加请求内容
Remote Address:127.0.0.1:80 Request URL:http://localhost/api/verifyUser/ Request Method:POST Status Code:502 Bad Gateway Response Headers view source Connection:keep-alive Content-Length:583 Content-Type:text/html Date:Sun, 11 Oct 2015 17:23:24 GMT Server:nginx/1.6.2 (Ubuntu) Request Headers view source Accept:application/json, text/plain, */* Accept-Encoding:gzip, deflate Accept-Language:en-US,en;q=0.8 Connection:keep-alive Content-Length:81 Content-Type:application/x-www-form-urlencoded Cookie:XSRF-TOKEN=f1d88246-28a0-4e64-a988-def4cafa5004 Host:localhost Origin:http://localhost Referer:http://localhost/ui/ User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 X-XSRF-TOKEN:f1d88246-28a0-4e64-a988-def4cafa5004 Form Data view source view URL encoded {"email":"user","password":"user"}:
您需要的email
和password
数据是参数,而不是属性。 ServletRequest中的属性是仅服务器端数据,您可以在应用程序中使用这些数据在类之间传递数据或传递给JSP。
注意:您必须使用内容类型application/x-www-form-urlencoded
并确保请求正文以正确的格式编码,以便在服务器端使用getParameter
,例如email=user&password=user
。
默认情况下,Angular会将对象编码为JSON
转换请求和响应
Angular提供以下默认转换:
请求转换($ httpProvider.defaults.transformRequest和$ http.defaults.transformRequest):
如果请求配置对象的data属性包含对象,请将其序列化为JSON格式。
另请参阅如何在AngularJS中使用$ http发布urlencoded表单数据?
getAttribute()和getParameter()之间的区别