保护使用Spring Security的REST端点 [英] Securing REST endpoint using spring security

问题描述

我试图提供安全的REST端点。我下面从此页面。在我来说，我没有看法所以我没有创建控制器指定的意见，在我AppConfig.java还没有添加的ViewResolver

I am trying to provide security to the REST endpoints. I am following instructions from this page. In my case I don't have view hence I haven't created controller to specify the views and haven't added viewResolver in my AppConfig.java

实施后，它正确地显示在调用一个安全的REST端点拒绝错误的机会。但是，即使我在请求头中指定的用户名/密码，我得到拒绝访问错误。我在邮递员测试中基本验证设置用户名/密码。我错过任何想法？

After implementation it correctly shows the access denied error upon calling a secured REST endpoint. But even though I specify username/password in the request header I get the access denied error. I am testing in postman setting username/password in Basic Auth. What am I missing any idea?

推荐答案

您已经按照这个例子是实施基于表单的认证。为了将其更改为 HTTP AUTH （这是更适合REST服务），你需要寻找在security.xml文件以下形式登录标签：

The example you have followed is implementing a form-based authentication. In order to change it to http auth (which is more suitable for REST services) you need to look for the following form-login tag in your security.xml:

<form-login 
        login-page="/login" 
        default-target-url="/welcome" 
        authentication-failure-url="/login?error" 
        username-parameter="username"
        password-parameter="password" />

和只是将其更改为空 HTTP的基本标签：

And just change it to an empty http-basic tag:

<http-basic />

如果你没有别的改变什么，那么它应该很好地工作。您还可以测试您的浏览器你的设置，通过尝试访问您的网页。如果配置正确的一切你会得到这个时候弹出，而不是一种形式。这将是HTTP的基本身份验证您的光临。

If you did not change anything else, then it supposed to work perfectly. You can also test your setup from your browser, by trying to access your page. If you configured everything properly you will get a popup this time, not a form. That will be HTTP-basic authentication welcoming you.

因为有可能你使用的是基于Java的配置，这一变化相当于将取代：

Since likely you are using the Java-based configuration, the equivalent of this change would be to replace:

  http.authorizeRequests()
    .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
    .antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')")
    .and().formLogin();

与

  http.authorizeRequests()
    .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
    .antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')")
    .and().httpBasic();

这篇关于保护使用Spring Security的REST端点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！