如何使用 cURL 登录 Spring Security 登录表单? [英] How to login to a spring security login form using cURL?
问题描述
我正在开发一个 springMVC 项目,其中用户身份验证基于 spring 安全性.
I am working on a springMVC project in which the user authentication is based on spring security.
这个想法是有一个移动 (android) 应用程序能够向后端发送某种数据.
the idea is to have a mobile (android) application to be able to send some sort of data to backend.
因此,在接触 android 开发之前,我决定使用 cURL 模拟登录表单的情况.
So before get my hand dirty into android developing I decided to mock the situation of login form using cURL.
我们网站的登录表单如下:
the login form in our site is as following :
http://localhost:8080/app/user/login
我使用以下命令:
curl -F 'username=admin&password=admin' http://localhost:8080/app/user/login
但是我会得到登录页面,换句话说我无法根据模拟情况通过用户身份验证.
but yet I will get login page in other words I am not able to pass user authentication based on a mock up situation.
请注意:对于每个请求,spring secure 都会创建一个类似于以下内容的随机令牌:
just to note : for every request the spring secure will create a randomize token something similar to :
8863F732ADDE24CD167F4EF502A4333D
8863F732ADDE24CD167F4EF502A4333D
我应该如何使用模拟情况(cURL
或 HTTPClient
)传递基于 spring 安全性的登录表单
how should I pass login form based on spring security using mock situation (either cURL
or HTTPClient
)
推荐答案
像这样使用 cURL
:
curl -d j_username=admin -d j_password=admin -L http://localhost:8080/app/j_spring_security_check
CSRF
如果你得到类似未找到预期CSRF令牌的信息.您的会话是否已过期?
这意味着启用了 CSRF 令牌保护.要使用 cURL 对其进行测试,您需要一个 cookie 和一个 CSRF 令牌本身.
CSRF
If you get something like Expected CSRF token not found. Has your session expired?
that means that CSRF token protection is enabled. To test it with cURL you need a cookie and a CSRF token itself.
以下命令会将所有 cookie 写入名为 cookie
的文件并打印出 CSRF 令牌.Spring Security 默认令牌参数名称是 _csrf
,如果你改变了它,那么你也需要改变 grep csrf
.
The following command will write all cookies to a file named cookie
and print out the CSRF token. Spring Security default token parameter name is _csrf
, if you've changed it then you need to change grep csrf
also.
curl --cookie-jar cookie -L http://localhost:8080/app/j_spring_security_check | grep csrf
然后您可以执行下一个命令,该命令将从文件中传递所有 cookie.不要忘记将 |your_token_value|
替换为由上一个命令打印的实际值(如果更改了 _csrf
参数名称).>
Then you can execute next command which will pass all cookies from file. Don't forget to replace |your_token_value|
with an actual value which is printed out by the previous command (and _csrf
parameter name if you've changed it).
curl --cookie cookie -d "j_username=admin&j_password=admin&_csrf=|your_token_value|" -L http://localhost:8080/app/j_spring_security_check
从 Spring Security 3.x 到 4.x
请注意,在 Spring Security 4.x 中 login-processing-url
的默认值从 /j_spring_security_check
更改为 POST /login
,默认username-parameter
的值从 j_username
更改为 username
并且 password-parameter
的默认值从 更改j_password
到 password
.如果应用程序明确提供了这些属性,则迁移不需要任何操作.
From Spring Security 3.x to 4.x
Note that in Spring Security 4.x default value for login-processing-url
changed from /j_spring_security_check
to POST /login
, default value for username-parameter
changed from j_username
to username
and default value for password-parameter
changed from j_password
to password
. If an application explicitly provides these attributes, no action is required for the migration.
这篇关于如何使用 cURL 登录 Spring Security 登录表单?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!