首页 > 解决方案 > Spring Security 登录操作未设置 cookie

问题描述

我有一个 spring boot 项目,我在该项目上设置了 spring security 来处理身份验证,如下所示(不同的类位于不同的文件上)。

@Configuration
@EnableWebSecurity
class SecurityConfiguration(
        private val userAuthenticationService: UserAuthenticationService)
    : WebSecurityConfigurerAdapter(){

    @Throws(Exception::class)
    override fun configure(httpSecurity: HttpSecurity) {
        httpSecurity
                .cors()
                .and()
                .csrf().disable()
                .authorizeRequests()
                //.antMatchers("/#/login").permitAll()
                .antMatchers(HttpMethod.POST,Constants.USERS_BASE_PATH).permitAll()
                .anyRequest().authenticated()
                .and()
                .httpBasic()
                .and()
                .formLogin()
                //.loginPage("/#/login")
                .loginProcessingUrl("/v0/login")
                .permitAll()
                .and()
                .logout()
                .logoutUrl("/v0/logout")
                .invalidateHttpSession(true)
                .deleteCookies("JSESSIONID")
                .permitAll();

    }

    override fun configure(auth: AuthenticationManagerBuilder?) {
        auth?.userDetailsService(userAuthenticationService)
    }

    @Bean
    fun getPasswordEncoder(): PasswordEncoder? {
        return BCryptPasswordEncoder()
    }

}


@Service
class UserAuthenticationService(private val userRepository: UserRepository) : UserDetailsService{
    override fun loadUserByUsername(username: String?): UserDetails {
        val user = userRepository.findByUsername(username!!)
        return UserAuthenticationDetails(user.username, user.password)
    }

}

问题是当我执行登录操作(如下)时,它返回一个 HTML 表单以执行登录,状态码为 200,并且响应不包含“Set-Cookie”标头,该标头将包含以下请求的 cookie。

POST /v0/login HTTP/1.1
Host: localhost:8080
Authorization: Basic dXNlciAxOjEyMzQ1
Content-Type: application/x-www-form-urlencoded

username=user%201&password=12345

这是 HTML 响应消息:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="description" content="">
    <meta name="author" content="">
    <title>Please sign in</title>
    <link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M" crossorigin="anonymous">
    <link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/>
  </head>
  <body>
     <div class="container">
      <form class="form-signin" method="post" action="/v0/login">
        <h2 class="form-signin-heading">Please sign in</h2>
<div class="alert alert-danger" role="alert">Result must not be null!</div>        <p>
          <label for="username" class="sr-only">Username</label>
          <input type="text" id="username" name="username" class="form-control" placeholder="Username" required autofocus>
        </p>
        <p>
          <label for="password" class="sr-only">Password</label>
          <input type="password" id="password" name="password" class="form-control" placeholder="Password" required>
        </p>
        <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
      </form>
</div>
</body></html>

我已经尝试了弹簧安全配置的几种变体,但我肯定遗漏了一些东西。如果我尝试任何其他端点并仅发送带有基本身份验证的授权标头,则返回带有正确 cookie 的“Set-Cookie”标头的方法。但由于某种原因,这不会发生在登录端点上。我只是让登录 HTTP 请求出错了吗?还是我有错误的配置?

标签: springspring-bootkotlinspring-security

解决方案


推荐阅读