1. 首頁
  2. 問答
  3. 春季啓動安全將不尊重角色與自定義AuthenticationProvider

春季啓動安全將不尊重角色與自定義AuthenticationProvider

2017-09-20 54 views
1

我正在創建我自己的自定義身份驗證提供程序。現在,我只是檢查一個靜態的用戶名和密碼,但後來這將被更高級的東西取代,所以雖然我不需要使用自定義提供程序在這種情況下,這將不會幫助我很多,因爲它只是地面工作我還沒有添加額外的代碼。春季啓動安全將不尊重角色與自定義AuthenticationProvider

這就是說這是我的代碼處於破碎狀態。

我的自定義身份驗證提供者:

import org.slf4j.Logger; 
import org.slf4j.LoggerFactory; 
import org.springframework.security.authentication.AuthenticationProvider; 
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; 
import org.springframework.security.core.Authentication; 
import org.springframework.security.core.AuthenticationException; 
import org.springframework.security.core.GrantedAuthority; 
import org.springframework.security.core.authority.SimpleGrantedAuthority; 
import org.springframework.stereotype.Component; 

import java.util.ArrayList; 
import java.util.List; 

@Component 
public class SatAuthenticationProvider implements AuthenticationProvider { 

    private static final Logger LOGGER = LoggerFactory.getLogger(SatAuthenticationProvider.class); 

    public SatAuthenticationProvider() { 
    LOGGER.info("*** CustomAuthenticationProvider created"); 
    } 

    @Override 
    public boolean supports(Class<? extends Object> authentication) { 
    return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication)); 
    } 

    @Override 
    public Authentication authenticate(Authentication authentication) throws AuthenticationException { 

    LOGGER.info("*** Creating authentication"); 
    if (authentication.getName().equals("test") && authentication.getCredentials().equals("test")) { 
     List<GrantedAuthority> grantedAuths = new ArrayList<>(); 
     grantedAuths.add(new SimpleGrantedAuthority("USER")); 
     grantedAuths.add(new SimpleGrantedAuthority("ADMIN")); 
     return new UsernamePasswordAuthenticationToken(authentication.getName(), authentication.getCredentials(), grantedAuths); 
    } else { 
     return null; 
    } 

    } 
}

這裏是我的安全配置,消耗是:

import com.comcast.iot.das.auth.SatAuthenticationProvider; 
import org.slf4j.Logger; 
import org.slf4j.LoggerFactory; 
import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.context.annotation.Configuration; 
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; 
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; 
import org.springframework.security.config.annotation.web.builders.HttpSecurity; 
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; 
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 

@Configuration 
@EnableWebSecurity 
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) 
public class DeviceSecurityConfig extends WebSecurityConfigurerAdapter { 

    private static final Logger LOGGER = LoggerFactory.getLogger(SatAuthenticationProvider.class); 

    @Autowired 
    private SatAuthenticationProvider satAuthenticationProvider; 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
    LOGGER.info("*** configuring http"); 
    http.authorizeRequests().anyRequest() 
     .hasRole("USER") 
     .and() 
     .httpBasic(); 
    } 

    @Autowired 
    public void configure(AuthenticationManagerBuilder auth) throws Exception { 
    LOGGER.info("*** Setting builder"); 
    auth.authenticationProvider(this.satAuthenticationProvider); 
    } 
}

現在,當我跑,如果我使用curl打沒有用戶名和密碼的端點指定我得到以下內容:

% curl http://localhost:8080/molecule 
{ 
    "timestamp" : 1505925047977, 
    "status" : 401, 
    "error" : "Unauthorized", 
    "message" : "Full authentication is required to access this resource", 
    "path" : "/molecule" 
}

如果我指定了正確的用戶名並傳遞一句話讓我得到如下:

% curl -u test:test http://localhost:8080/molecule 
{ 
    "timestamp" : 1505925033015, 
    "status" : 403, 
    "error" : "Forbidden", 
    "message" : "Access is denied", 
    "path" : "/molecule" 
}

最後,如果我指定了錯誤的用戶名和密碼,我得到如下:

% curl -u test:test2 http://localhost:8080/molecule 
{ 
    "timestamp" : 1505925199406, 
    "status" : 401, 
    "error" : "Unauthorized", 
    "message" : "No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken", 
    "path" : "/molecule" 
}

最後一點,雖然我不能讓角色直接工作,我可以得到它測試用戶是否已經通過身份驗證並使用它來授予權限。這不是一個可行的解決方案,因爲我需要角色,但它可能會給任何人試圖回答這個問題的一些提示。

@Override 
    protected void configure(HttpSecurity http) throws Exception { 
    LOGGER.info("*** configuring http"); 
    http.authorizeRequests().anyRequest() 
     .authenticated() 
     .and() 
     .httpBasic(); 
    }

隨着代碼預期我捲曲的要求似乎確實至少工作(雖然沒有辦法添加角色的這個新版本:

所以如下我可以改變DeviceSecurityConfig類的配置方法當然):.這裏是我剛剛提到的代碼編輯的捲曲結果。

沒有用戶名和密碼:

% curl http://localhost:8080/molecule 
{ 
    "timestamp" : 1505925444957, 
    "status" : 401, 
    "error" : "Unauthorized", 
    "message" : "Full authentication is required to access this resource", 
    "path" : "/molecule" 
}

密碼不正確:

% curl -u test:test2 http://localhost:8080/molecule 
{ 
    "timestamp" : 1505925456018, 
    "status" : 401, 
    "error" : "Unauthorized", 
    "message" : "No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken", 
    "path" : "/molecule" 
}

正確的用戶名和密碼使用下面的命令現在返回充分反應形成的終點,我通常會期望(省略)。

% curl -u test:test http://localhost:8080/molecule

來源

2017-09-20 Jeffrey Phillips Freeman

回答

2

作用當局應與ROLE_前綴:

grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER")); 
grantedAuths.add(new SimpleGrantedAuthority("ROLE_ADMIN"));

來源

2017-09-20 18:56:03 holmis83

相關問題

 相關問題