restTemplatebuider訪問問題

Question

我使用彈簧引導和彈簧安全。

在我的休息控制器，我有一個方法

@Configuration 
@EnableGlobalMethodSecurity(prePostEnabled=true) 
@EnableWebSecurity 
public class ApplicationSecurity extends WebSecurityConfigurerAdapter { 

    @Autowired 
    private RESTAuthenticationEntryPoint authenticationEntryPoint; 

    @Autowired 
    private RESTAuthenticationFailureHandler authenticationFailureHandler; 

    @Autowired 
    private RESTAuthenticationSuccessHandler authenticationSuccessHandler; 

    @Autowired 
    private UserDetailsService userDetailsService; 

    @Bean 
    public PasswordEncoder encoder() { 
     return new BCryptPasswordEncoder(); 
    } 

    @Override 
    protected void configure(AuthenticationManagerBuilder auth) throws Exception { 
     auth.userDetailsService(userDetailsService).passwordEncoder(encoder()); 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 

     http.authorizeRequests() 
       .antMatchers("/login").permitAll() 
       .antMatchers("/rest/**").authenticated(); 

     http.csrf().disable(); 
     http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint); 

     http.formLogin().successHandler(authenticationSuccessHandler); 
     http.formLogin().failureHandler(authenticationFailureHandler); 
     http.logout().logoutUrl("/logout"); 
     http.logout().logoutSuccessUrl("/"); 

     // CSRF tokens handling 
     //http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class); 
    } 

} 

@RequestMapping(value = "/rest") 
@RestController 
public class MemberController { 

    @GetMapping(value = "/members/card") 
    public boolean hasCardIdValid(@RequestBody String cardId) { 
     return memberService.hasCardIdValid(cardId); 
    } 
} 

在另一個春天啓動應用程序，我打電話hasCreditCard方法

@Autowired 
    public GlobalScan(RestTemplateBuilder restTemplateBuilder, @Value("${main.server.url}") String mainServerUrl, @Value("${commerce.username}") String commerceUsername, @Value("${commerce.password}")String commercePassword) { 
     this.restTemplate = restTemplateBuilder.basicAuthorization(commerceUsername, commercePassword).rootUri(mainServerUrl).build(); 
    } 

I do a call with this code 

Map<String, String> vars = new HashMap<String, String>(); 
vars.put("cardId", cardId); 

boolean accessAllowed = restTemplate.getForObject("/rest/members/card/" , Boolean.class, vars); 

我得到這個消息

2016-11-02 16:20:50.601 DEBUG 7139 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/rest/members/card/'; against '/login' 
2016-11-02 16:20:50.601 DEBUG 7139 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/rest/members/card/'; against '/rest/**' 
2016-11-02 16:20:50.601 DEBUG 7139 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /rest/members/card/; Attributes: [authenticated] 
2016-11-02 16:20:50.601 DEBUG 7139 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS 
2016-11-02 16:20:50.602 DEBUG 7139 --- [nio-8080-exec-1] o.s.s.access.vote.AffirmativeBased  : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3d300693, returned: -1 
2016-11-02 16:20:50.602 TRACE 7139 --- [nio-8080-exec-1] ationConfigEmbeddedWebApplicationContext : Publishing event in org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@2bdd8394: org.springframework.security.access.event.AuthorizationFailureEvent[source=FilterInvocation: URL: /rest/members/card/] 
2016-11-02 16:20:50.606 DEBUG 7139 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter  : Access is denied (user is anonymous); redirecting to authentication entry point 

org.springframework.security.access.AccessDeniedException: Access is denied 
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-4.1.1.RELEASE.jar:4.1.1.RELEASE] 

在我的主應用程序中，我使用表單登錄來連接到應用程序，就像您在春季安全中看到的一樣配置。

從我的其他應用程序如何調用無窗體登錄ws？

試着撥打WS與此

final RequestConfig config = RequestConfig.custom().setConnectTimeout(timeout * 1000).setConnectionRequestTimeout(timeout * 1000).setSocketTimeout(timeout * 1000).build(); 

final BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider(); 
credentialsProvider.setCredentials(new AuthScope("http://localhost", 8080, AuthScope.ANY_REALM), new UsernamePasswordCredentials("bob", "smith")); 
final CloseableHttpClient client = HttpClientBuilder.create().setDefaultRequestConfig(config).setDefaultCredentialsProvider(credentialsProvider).build(); 

final ClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(client); 
RestTemplate restTemplate = new RestTemplate(requestFactory); 

ResponseEntity<MemberDto> member = restTemplate.getForEntity("http://localhost:8080/rest/members/1", MemberDto.class); 

結果：http://pastebin.com/psNKPUtM

Answer 1

春季安全的默認密碼是由以下屬性配置：security.user.password=YOUR_PASSWORD 這應該在你有你的主應用程序來完成安全配置以及您正在嘗試呼叫的內容。

You can change the password by providing a security.user.password. This and other useful properties are externalized via SecurityProperties (properties prefix "security").

所以，如果你沒有更新的財產，以匹配commerce.password春天密碼會拒絕你的授權，你會得到401默認情況下，它使用它打印到控制檯一些隨機生成的密碼開始時。 documentation

Answer 2

您正在配置formLogin()，但您嘗試在RestTemplate中使用http Basic Auth。 對於通過HTTP REST的請求，我建議您更改配置爲使用基本身份驗證：

@Override 
protected void configure(HttpSecurity http) throws Exception { 

    http.authorizeRequests() 
      .antMatchers("/login").permitAll() 
      .antMatchers("/rest/**").authenticated(); 

    http.csrf().disable(); 
    http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint); 

    http.httpBasic(); 
    http.logout().logoutUrl("/logout"); 
    http.logout().logoutSuccessUrl("/"); 

    // CSRF tokens handling 
    //http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class); 
} 

如果你需要同時我認爲你可以配置。

Answer 3

1. 添加基本身份驗證，以現有配置

   @Override 
   protected void configure(HttpSecurity http) throws Exception { 
       http 
        .... 
       .and() 
       .formLogin() // <------ Keep this 
        .... 
       .and() 
       .httpBasic() // <------ Add BASIC Auth 
       .and() 
        .....; 
   } 
   

2. 使用RestTemplate

   public static void main(String[] args) { 
       RestTemplate rest = new RestTemplate(new ArrayList(Arrays.asList(new MappingJackson2HttpMessageConverter()))); 
       HttpHeaders headers = new HttpHeaders(); 
       headers.set("Authorization", "Basic YOUR_BASE64_ENCODED_CREDENTIALS"); 
       MediaType applicationJson = new MediaType("application","json"); 
       headers.setContentType(applicationJson); 
       headers.setAccept(Collections.singletonList(applicationJson)); 
       ResponseEntity<YourResponseObject> resp = rest.exchange("http://URL/rest/yourendpoint", HttpMethod.GET, new HttpEntity<String>("parameters", headers), YourResponseObject.class); 
   
       System.out.println(resp.getBody()); 
   

   }

YOUR_BASE64_ENCODED_CREDENTIALS =>如果使用U編寫一個簡單的客戶端在Java 8中，您可以使用java.util.Base64，否則使用commons-codec來完成該操作或其他操作。

更新： 春天開機參考：http://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html#jc-httpsecurity