为Angular 2配置Spring安全性 [英] Configure Spring security for Angular 2

问题描述

我正在构建一个Angular 2 Web客户端，该客户端尝试使用SpringBoot Security对服务器进行POST.我应该如何编写我的Spring安全配置?

I'm building a Angular 2 web client that tries to do a POST to a server using SpringBoot Security. How should I write my Spring security configuration?

我的Angular身份验证电话:

My Angular call for authentication:

public login(username, password) {
  let body = JSON.stringify({username: username, password: password});
  let headers = new Headers({'Content-Type': 'application/json'});
  let options = new RequestOptions({headers: headers});
  this.http.post("http://localhost:8080/login", body, options)
    .subscribe(
      res => this.loggedIn = true,
      err => console.error("failed authentication: " + err),
      () => console.log("tried authentication")
    );
}

身份验证失败，并显示以下错误:

The authentication fails with the error:

{时间戳":1487007177889，状态":401，错误":未经授权"，消息":身份验证失败:空用户名"，路径":"/登录"}

{"timestamp":1487007177889,"status":401,"error":"Unauthorized","message":"Authentication Failed: Empty Username","path":"/login"}

我的spring安全配置:

My spring security configuration:

@Configuration
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {    
    @Autowired
    private RestAuthenticationEntryPoint restAuthenticationEntryPoint;
    @Autowired
    private RestAuthenticationSuccessHandler restAuthenticationSuccessHandler;
    @Autowired
    private RestAuthenticationFailureHandler restAuthenticationFailureHandler;
    @Autowired
    private RestLogoutSuccessHandler restLogoutSuccessHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .exceptionHandling()
                .authenticationEntryPoint(restAuthenticationEntryPoint)

                .and().formLogin()
                .loginProcessingUrl("/login")
                .usernameParameter("username")
                .passwordParameter("password")
                .successHandler(restAuthenticationSuccessHandler)
                .failureHandler(restAuthenticationFailureHandler)
                .permitAll()

                .and().logout()
                .logoutUrl("/logout")
                .logoutSuccessHandler(restLogoutSuccessHandler)
                .permitAll()

                .and().authorizeRequests().anyRequest().authenticated()
        ;
    }

    @Override
    public void configure(AuthenticationManagerBuilder builder) throws Exception {
        // This configuration has been tested, it works.
        // It has been removed for better readability
    }

    @Bean
    public LdapContextSource contextSource() {
        // This configuration has been tested, it works.
        // It has been removed for better readability
    }
}

推荐答案

您应该将 application/x-www-form-urlencoded 参数用于表单登录，而不是JSON.这就是错误提示用户名丢失的原因，因为Spring Security试图从HttpServletRequest#getParameters获取用户名.要在Angular中发送表单参数，您可以

You're supposed to use application/x-www-form-urlencoded parameters for form login, not JSON. That's why the error is saying that the username is missing, because Spring Security it trying to get it from the HttpServletRequest#getParameters. To send form parameters in Angular, you can do

import { URLSearchParams } from '@angular/http';

let params = new URLSearchParams();
params.set('username', username);
params.set('password', password);

如果将其设置为Http请求的主体参数，则应该(据我所记得)会自动序列化为正确的格式，即

If you set it as the body parameter of the Http request, it should (from what I remember) automatically be serialized to the correct format, i.e.

username=xxx&password=xxx

我认为您也不需要将标头 Content-Type 设置为 applicatio/x-www-form-urlencoded .我认为当Angular将 URLSearchParams 作为正文检测时，也应该为您设置该值.

And I don't think you need to set the header Content-Type to applicatio/x-www-form-urlencoded either. I think that should also be set for you when Angular detects URLSearchParams as the body.

这篇关于为Angular 2配置Spring安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！