spring-mvc - 当发现不需要的基本身份验证标头时,Spring 安全性不起作用
问题描述
以下问题仅发生在 https 环境中。
Jboss Web 服务器使用基本身份验证进行身份验证。现在,当访问部署在 jboss 上的应用程序时,所有请求都包含基本授权标头。现在使用正确的凭据时,我无法登录。如果我直接使用我的应用程序而不进行 jboss 基本身份验证,那么我可以登录应用程序并且一切正常。如果不需要的基本身份验证,春季安全问题。我尝试禁用基本身份验证但不起作用。
下面是我的代码。安全上下文
package com.adv.admin.context;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import com.adv.admin.util.CustomAuthenticationFailureHandler;
import com.adv.admin.util.CustomAuthenticationProvider;
import com.adv.admin.util.CustomLogoutSuccessHandler;
import com.coa.idm.annotation.SSOProvider;
import com.coa.idm.filter.SSOProviderType;
@Configuration
@EnableWebSecurity
@SSOProvider(providerType = SSOProviderType.NONE)
public class LocalSecurityContext extends WebSecurityConfigurerAdapter{
@Autowired
CustomAuthenticationProvider customAuthenticationProvider;
@Autowired
CustomAuthenticationFailureHandler customAuthenticationFailureHandler;
@Autowired
CustomLogoutSuccessHandler customLogoutSuccessHandler;
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthenticationProvider);
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login/**","/logout/**","/views/**").permitAll()
.antMatchers("/technical_setup/**","/preferences_config/**","/admin_management/**")
.access("hasRole('SYSADMIN')")
.antMatchers("/home/**","/custom_help/**","/custom_message/**",
"/custom_help_detail/**","/custom_message_detail/**","/admin_property/**")
.access("hasAnyRole('SYSADMIN','ADMIN')")
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/perform_login")
.defaultSuccessUrl("/home", true)
.failureUrl("/login?error=3")
.failureHandler(customAuthenticationFailureHandler)
.and()
.logout()
.logoutUrl("/logout")
.deleteCookies("JSESSIONID")
.logoutSuccessHandler(customLogoutSuccessHandler)
.and()
.sessionManagement()
.sessionAuthenticationErrorUrl("/login/invalid-session");
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**").and().ignoring().antMatchers("/WebHelp/**");
}
}
身份验证提供者
package com.adv.admin.util;
import java.util.Collection;
import javax.inject.Inject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Component;
import com.adv.admin.entity.UserMaster;
import com.adv.admin.model.CustomUser;
import com.adv.admin.repository.AdminRepository;
import com.adv.admin.repository.UserMasterRepository;
import com.adv.admin.services.CustomUserService;
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Autowired
private CustomUserService userService;
@Autowired
private AdminRepository adminRepository;
@Inject
private UserMasterRepository userMasterRepository;
@Override
public Authentication authenticate(Authentication authentication) {
String username = authentication.getName();
String password = (String) authentication.getCredentials();
UserMaster userMaster;
if (userService.getdataSourceDilact() != null
&& userService.getdataSourceDilact().equals(Constants.POSTGRES_SQL_Dialect)) {
userMaster = userMasterRepository.findByUsr(username);
} else {
userMaster = userMasterRepository.findByUsr(rightPad(username));
}
if (ObjectUtils.isNotEmpty(userMaster)) {
if (userMaster.getDsbld().equals(Constants.FLAG_Y)) {
throw new DisabledException(Constants.DISABLED_MESSAGE);
} else {
String encryptedPassword = (password + " ").substring(0, 8);
encryptedPassword = new String(LogonSecurity.encrypt(encryptedPassword.toCharArray()));
if (!encryptedPassword.equals(userMaster.getPswd())) {
throw new BadCredentialsException(Constants.WRONG_CREDENTIALS_MESSAGE);
} else {
CustomUser user = userService.loadUserByUsername(username);
Collection<? extends GrantedAuthority> authorities = user.getAuthorities();
return new UsernamePasswordAuthenticationToken(user, password, authorities);
}
}
} else {
throw new BadCredentialsException(Constants.WRONG_CREDENTIALS_MESSAGE);
}
}
@Override
public boolean supports(Class<?> arg0) {
return true;
}
private String rightPad(String s) {
return String.format("%-8s", s);
}
}
