使用JavaConfig示例的Spring Security Digest Auth [英] Spring Security Digest Auth using JavaConfig Example
问题描述
如何使用javaconfig(无XML)专门为摘要式身份验证配置Spring 4.0和Spring Security(3.2.0)?我正在使用下面的配置类,但所有请求都被HTTP 401拒绝,Nonce应该产生两个令牌,但是(...消息就在那里停止)。
How do you configure Spring 4.0 and Spring Security (3.2.0) for digest authentication exclusively using javaconfig (no XML)? I am using the below configuration class, however all requests are getting denied with HTTP 401 and "Nonce should have yielded two tokens but was (... message just stops there)".
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfigurationDigest extends WebSecurityConfigurerAdapter
{
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
{
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.authorizeRequests().antMatchers("/**").authenticated().and().addFilter(digestAuthenticationFilter(digestEntryPoint()));
}
@Override
@Bean
public UserDetailsService userDetailsServiceBean() throws Exception
{
return super.userDetailsServiceBean();
}
public DigestAuthenticationFilter digestAuthenticationFilter(DigestAuthenticationEntryPoint digestAuthenticationEntryPoint) throws Exception
{
DigestAuthenticationFilter digestAuthenticationFilter = new DigestAuthenticationFilter();
digestAuthenticationFilter.setAuthenticationEntryPoint(digestEntryPoint());
digestAuthenticationFilter.setUserDetailsService(userDetailsServiceBean());
return digestAuthenticationFilter;
}
@Bean
public DigestAuthenticationEntryPoint digestEntryPoint()
{
DigestAuthenticationEntryPoint digestAuthenticationEntryPoint = new DigestAuthenticationEntryPoint();
digestAuthenticationEntryPoint.setKey("mykey");
digestAuthenticationEntryPoint.setRealmName("myrealm");
return digestAuthenticationEntryPoint;
}
}
我试图在客户端授权包括标题:
I am attempting to authorize on the client side by including the header:
授权:Digest username =user,realm =myrealm,nonce =,uri =/ service?param = 98,响应=fcd46faf42a583499d4e7f0371171ef2,opaque =
Authorization: Digest username="user", realm="myrealm", nonce="", uri="/service?param=98", response="fcd46faf42a583499d4e7f0371171ef2", opaque=""
如果我将此类恢复为基于HttpBasic的配置,我可以访问预期的服务。我的配置或我的请求有问题吗?上面的大部分代码都是从另一篇文章中借来的,但是我无法在这种情况下使用。所有这些都在Spring Boot 0.5.0M7中运行。
I am able to access the intended services if I revert this class to a HttpBasic based configuration. Is the problem with my config or with my request? Most of the above code was borrowed from another post, however I cannot get things working in this context. All of this is running within Spring Boot 0.5.0M7.
谢谢。
推荐答案
Spring 和 Patrick 都描述了一个流程请求,如果没有别的从服务器获取nonce,服务器提供此标头
Spring and Patrick both describe a flow where a request is made, if nothing else to get a nonce from the server , the server provides this header
WWW-Authenticate:Digest realm = realm,nonce =IVjZjc3Yg ==,qop =auth
"WWW-Authenticate: Digest realm="realm", nonce="IVjZjc3Yg==", qop="auth"
在其401回复中说嘿,你是谁 对客户端。使用nonce和其他东西创建一个md5哈希发送到服务器。服务器现在很高兴并处理请求。看看你做到第1步的好一面并检查链接以获得更好的解释
in its 401 response saying "hey who are you" to the client. Using the nonce and other stuff a md5 hash is created and sent to the server. Server is now happy and processes the request. Look on the bright side you made it to step 1 and check the links for a better explaination
这篇关于使用JavaConfig示例的Spring Security Digest Auth的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
