spring - Spring Security 登录操作未设置 cookie
问题描述
我有一个 spring boot 项目,我在该项目上设置了 spring security 来处理身份验证,如下所示(不同的类位于不同的文件上)。
@Configuration
@EnableWebSecurity
class SecurityConfiguration(
private val userAuthenticationService: UserAuthenticationService)
: WebSecurityConfigurerAdapter(){
@Throws(Exception::class)
override fun configure(httpSecurity: HttpSecurity) {
httpSecurity
.cors()
.and()
.csrf().disable()
.authorizeRequests()
//.antMatchers("/#/login").permitAll()
.antMatchers(HttpMethod.POST,Constants.USERS_BASE_PATH).permitAll()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.formLogin()
//.loginPage("/#/login")
.loginProcessingUrl("/v0/login")
.permitAll()
.and()
.logout()
.logoutUrl("/v0/logout")
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.permitAll();
}
override fun configure(auth: AuthenticationManagerBuilder?) {
auth?.userDetailsService(userAuthenticationService)
}
@Bean
fun getPasswordEncoder(): PasswordEncoder? {
return BCryptPasswordEncoder()
}
}
@Service
class UserAuthenticationService(private val userRepository: UserRepository) : UserDetailsService{
override fun loadUserByUsername(username: String?): UserDetails {
val user = userRepository.findByUsername(username!!)
return UserAuthenticationDetails(user.username, user.password)
}
}
问题是当我执行登录操作(如下)时,它返回一个 HTML 表单以执行登录,状态码为 200,并且响应不包含“Set-Cookie”标头,该标头将包含以下请求的 cookie。
POST /v0/login HTTP/1.1
Host: localhost:8080
Authorization: Basic dXNlciAxOjEyMzQ1
Content-Type: application/x-www-form-urlencoded
username=user%201&password=12345
这是 HTML 响应消息:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>Please sign in</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M" crossorigin="anonymous">
<link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/>
</head>
<body>
<div class="container">
<form class="form-signin" method="post" action="/v0/login">
<h2 class="form-signin-heading">Please sign in</h2>
<div class="alert alert-danger" role="alert">Result must not be null!</div> <p>
<label for="username" class="sr-only">Username</label>
<input type="text" id="username" name="username" class="form-control" placeholder="Username" required autofocus>
</p>
<p>
<label for="password" class="sr-only">Password</label>
<input type="password" id="password" name="password" class="form-control" placeholder="Password" required>
</p>
<button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
</form>
</div>
</body></html>
我已经尝试了弹簧安全配置的几种变体,但我肯定遗漏了一些东西。如果我尝试任何其他端点并仅发送带有基本身份验证的授权标头,则返回带有正确 cookie 的“Set-Cookie”标头的方法。但由于某种原因,这不会发生在登录端点上。我只是让登录 HTTP 请求出错了吗?还是我有错误的配置?
解决方案
推荐阅读
- azure - 手动更改配置文件后,Ambari 是否恢复配置?
- ios - Google 放置 iOS sdk,按 lat,long 位置获取位置
- angular - Msal Angular Preview Azure AD 同意范围和访问令牌版本错误
- ios - 使用自定义动画呈现嵌入在导航控制器中的视图控制器
- redmine - Redmine、SMTP 和 Mandrill 自定义标题模板
- django - Django 1.11 多对多
- spring - 创建名称为“customerController”的 bean 时出错:通过字段“customerDAO”表示的依赖关系不满足;
- xamarin.forms - Stacklayout 中的 Xamrin Forms RelativeLayout 显示空白屏幕
- javascript - d3 中的条形位置与轴不匹配
- angular - 如何专注于特定的 mat-tab