休息调用过期会话：HTTP 401响应导致浏览器显示登录窗口 [英] Rest call on expired session: HTTP 401 response causes browser to display login window

问题描述

我编写了一个HTML 5应用程序，它使用AngularJS并与在Tomcat上运行的Java REST后端接口。
我使用Spring Security来处理登录和安全性。

I have written a HTML 5 application that uses AngularJS and interfaces with a Java REST backend running on Tomcat. I use Spring Security to handle login and security.

当用户进入网站时，他被转发到一个登录页面，该页面创建一个会话并重定向到索引页面。 REST调用从服务器加载更多数据，然后使用该会话进行身份验证。
如果没有会话，我将回退到基于HTTP的基本身份验证，这样就可以从Web应用程序中单独调用REST端点。

When the user enters the website he is forwarded to a login page which creates a session and redirects to the index page. The REST calls that loads further data from the server then uses that session to authenticate. If there is no session in place, I fallback to basic authentication over HTTP, such that it is possible to invoke the REST endpoints separately from the web application.

我现在遇到的问题是会话何时到期。这会导致服务器的 HTTP 401 Unauthenticated 响应。我以为我可以捕获该错误并使用Javascript将用户重定向回登录页面。然而，在我的错误处理程序被调用之前，浏览器首先显示一个登录窗口，只有当我单击取消时我的Javascript错误处理程序才能处理响应。

The problem I have now is when the session expires. This causes a HTTP 401 Unauthenticated response from the server. I thought I can catch that error and redirect the user back to the login page with Javascript. However before my error handler is called, the browser first shows a login window, only if I click cancel my Javascript error handler can handle the response.

我的问题是，是有办法阻止浏览器显示此登录窗口吗？或者这是我的应用程序设计的一般问题？

My question is, is there a way to prevent the browser from showing this login window? Or is this a general problem with my application design?

替代方案可能根本不是使用会话而是在应用程序中缓存用户名和密码。然后我需要使用基本身份验证向每个REST调用发送它，这是一个更好的方法吗？

The alternative might be not to use a session at all and to cache username and password in the application. Then I need to send it with every REST call using basic authentication, would that be a better approach?

以下是来自服务器的HTTP响应：

The following is the HTTP response from the server:

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Basic realm="Spring Security Application"
Content-Type: text/html;charset=utf-8
Content-Length: 999
Date: Mon, 30 Sep 2013 11:00:34 GMT

更新：看来这个原因是 WWW-验证标题，这会导致浏览器显示登录对话框。

Update: It appears that the reason for this is the WWW-Authenticate header, which causes the browser to display the login dialog.

推荐答案

我终于找到了解决方案为了这。正如我在更新中提到的，原因是，响应包含 WWW-Authenticate 标头字段。我的解决方案是更改spring security的配置以返回不同的标头：

I finally found the solution for this. As I mentioned in my update the reason is, that the response contains the WWW-Authenticate header field. My solution was then to change the configuration of spring security to return a different header:

WWW-Authenticate: FormBased

要做到这一点，我必须实现 AuthenticaitonEntryPoint 界面并手动在响应中设置标题和状态代码：

To do this I had to implement the AuthenticaitonEntryPoint interface and manually set the header and status code in the response:

@Component( "restAuthenticationEntryPoint" )
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {

    @Override
    public void commence( HttpServletRequest request, HttpServletResponse response,
                          AuthenticationException authException ) throws IOException {
        response.setHeader("WWW-Authenticate", "FormBased");
        response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
    }
}

然后我更改了spring-security的配置并设置了 entry-point-ref 指向新类：

then I changed the configuration of spring-security and set the entry-point-ref to point to the new class:

<http pattern="/rest/**" create-session="never" entry-point-ref="restAuthenticationEntryPoint">
    <intercept-url pattern="/rest/**" access="ROLE_USER" />
    <http-basic />
    <session-management />
</http>

这篇关于休息调用过期会话：HTTP 401响应导致浏览器显示登录窗口的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！