如何使用CURL登录到spring安全登录表单? [英] How to login to a spring security login form using CURL?
问题描述
我正在开发一个springMVC项目,其中用户身份验证基于spring安全性。
I am working on a springMVC project in which the user authentication is based on spring security.
这个想法是让移动(Android)应用程序
the idea is to have a mobile (android) application to be able to send some sort of data to backend.
所以在把我的手弄脏到android开发之前,我决定使用CURL来模拟登录表单的情况。
So before get my hand dirty into android developing I decided to mock the situation of login form using CURL.
我们网站的登录表单如下:
the login form in our site is as following :
http://localhost:8080/app/user/login
,我使用以下命令:
curl -F 'username=admin&password=admin' http://localhost:8080/app/user/login
但是我会得到登录页面,换句话说,我不能通过基于模拟情况的用户身份验证。
but yet I will get login page in other words I am not able to pass user authentication based on a mock up situation.
只是为了注意:对于每个请求,spring secure会创建一个类似于以下内容的随机化令牌:
just to note : for every request the spring secure will create a randomize token something similar to :
8863F732ADDE24CD167F4EF502A4333D
8863F732ADDE24CD167F4EF502A4333D
我应该如何使用mock情况传递基于spring安全性的登录表单( CURL
或 HTTPClient
)
how should I pass login form based on spring security using mock situation (either CURL
or HTTPClient
)
推荐答案
使用 cURL
,如下所示:
curl -d j_username=admin -d j_password=admin -L http://localhost:8080/app/j_spring_security_check
CSRF
b $ b
如果你得到类似未找到期望的CSRF令牌。您的会话是否过期?
表示启用CSRF令牌保护。要使用cURL测试它,您需要一个cookie和一个CSRF令牌本身。
CSRF
If you get something like Expected CSRF token not found. Has your session expired?
that means that CSRF token protection is enabled. To test it with cURL you need a cookie and a CSRF token itself.
以下命令将所有cookie写入名为 code>并打印出CSRF令牌。 Spring Security默认令牌参数名为
_csrf
,如果您更改了它,那么您还需要更改 grep csrf
。
The following command will write all cookies to a file named cookie
and print out the CSRF token. Spring Security default token parameter name is _csrf
, if you've changed it then you need to change grep csrf
also.
curl --cookie-jar cookie -L http://localhost:8080/app/j_spring_security_check | grep csrf
然后你可以执行下一个命令,不要忘记用上一个命令打印的实际值替换 | your_token_value |
(和 _csrf
Then you can execute next command which will pass all cookies from file. Don't forget to replace |your_token_value|
with an actual value which is printed out by the previous command (and _csrf
parameter name if you've changed it).
curl --cookie cookie -d "j_username=admin&j_password=admin&_csrf=|your_token_value|" -L http://localhost:8080/app/j_spring_security_check
从Spring Security 3.x到4 .x
请注意,在Spring Security 4.x中, login-processing-url
的默认值从<$ 默认值
从用户名参数
的默认值 j_username
更改为用户名
,默认值为 password-parameter
从 j_password
更改为密码
。如果应用程序显式提供这些属性,则不需要对迁移进行任何操作。
From Spring Security 3.x to 4.x
Note that in Spring Security 4.x default value for login-processing-url
changed from /j_spring_security_check
to POST /login
, default value for username-parameter
changed from j_username
to username
and default value for password-parameter
changed from j_password
to password
. If an application explicitly provides these attributes, no action is required for the migration.
这篇关于如何使用CURL登录到spring安全登录表单?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!