gpt4 book ai didi

java - Spring 安全 : Not acknowledging cookie set in RestTemplate

转载 作者:行者123 更新时间:2023-12-01 11:20:09 27 4
gpt4 key购买 nike

我正在开发一个连接到 Spring-MVC 服务器的 Java 应用程序,使用 Spring-Security 进行身份验证/授权。登录部分有效,我在 Java 应用程序中得到了一个 JSESSIONID,但是当我向 protected 资源发出请求时,它失败了,Spring-Security 无法找到任何登录的用户。我在这里做错了什么?

安全-applicationContext.xml:

 <security:http pattern="/resources/**" security="none"/>

<security:http create-session="ifRequired" use-expressions="true" auto-config="false" disable-url-rewriting="true">
<security:form-login login-page="/login" login-processing-url="/j_spring_security_check"
default-target-url="/dashboard" always-use-default-target="false"
authentication-failure-url="/denied"/>
<security:remember-me key="_spring_security_remember_me" user-service-ref="userDetailsService"
token-validity-seconds="1209600" data-source-ref="dataSource"/>
<security:logout delete-cookies="JSESSIONID" invalidate-session="true" logout-url="/j_spring_security_logout"/>
<!--<security:intercept-url pattern="/**" requires-channel="https"/>-->
<security:port-mappings>
<security:port-mapping http="8080" https="8443"/>
</security:port-mappings>
<security:logout logout-url="/logout" logout-success-url="/" success-handler-ref="myLogoutHandler"/>


<security:session-management session-fixation-protection="migrateSession">
<security:concurrency-control session-registry-ref="sessionRegistry" max-sessions="5" expired-url="/login"/>
</security:session-management>

</security:http>

<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="restaurantauthenticationprovider"/>
<security:authentication-provider ref="userauthenticationprovider"/>
</security:authentication-manager>

<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11"/>
</beans:bean>

<beans:bean id="restaurantauthenticationprovider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="LoginServiceImpl"/>
<beans:property name="passwordEncoder" ref="encoder"/>
</beans:bean>

<beans:bean id="userauthenticationprovider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="UserLoginServiceImpl"/>
<beans:property name="passwordEncoder" ref="encoder"/>
</beans:bean>

由于我有 2 个表要检查从中登录,因此我有 2 个 DAOAuthenticationProvider。

UserLoginServiceImpl:

@Transactional
@Service("loginuserDetailsService")
public class UserLoginServiceImpl implements UserDetailsService {


@Autowired
private PersonDAO personDAO;
@Autowired
private UserAssembler userAssembler;

@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException,DataAccessException {
System.out.println("Username is "+username);
Person person = this.personDAO.findPersonByUserName(username.toLowerCase());
if(person == null) { throw new UsernameNotFoundException("Wrong username or password");}
return userAssembler.buildUserFromUserEntity(person);
}
}

汇编器:

@Service("userassembler")
@Transactional
public class UserAssembler {

@Transactional
User buildUserFromUserEntity(Person userEntity){
System.out.println("We are in Userassembler"+userEntity.getEmail());
String username = userEntity.getUsername().toLowerCase();
String password = userEntity.getPassword();

boolean enabled = userEntity.isEnabled();
boolean accountNonExpired = userEntity.isAccountNonExpired();
boolean credentialsNonExpired = userEntity.isCredentialsNonExpired();
boolean accountNonLocked = userEntity.isAccountNonLocked();

Collection<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));

return new User(username,password,enabled,accountNonExpired,credentialsNonExpired,accountNonLocked,authorities);
}
}

上面是配置,现在我将放置失败的其余代码:

Thread thread = new Thread(new Runnable() {
@Override
public void run() {
Log.d("Username is ", username);
String jsessionid = rest.execute("http://192.168.178.60:8080/j_spring_security_check", HttpMethod.POST,
new RequestCallback() {
@Override
public void doWithRequest(ClientHttpRequest request) throws IOException {
request.getBody().write(("j_username=" + username + "&j_password=" + password).getBytes());
}
}, new ResponseExtractor<String>() {
@Override
public String extractData(ClientHttpResponse response) throws IOException {
List<String> cookies = response.getHeaders().get("Cookie");
if (cookies == null) {
cookies = response.getHeaders().get("Set-Cookie");
}
String cookie = cookies.get(cookies.size() - 1);
System.out.println("Cookie is " + cookie);
// The method below gets me which user is logged in, and I always get null for Controller method.
reply = rest.getForObject(
"http://192.168.178.60:8080/dashboard", String.class);

int start = cookie.indexOf('=');
int end = cookie.indexOf(';');
return cookie.substring(start + 1, end);
}
});

}
});
thread.start();

更新最后,有效的代码:

//我从服务器获取cookie,我为每个请求手动设置cookie,cookie是一个静态 volatile 字符串。

HttpHeaders requestHeaders = new HttpHeaders();
requestHeaders.add("Cookie", "JSESSIONID=" + StaticRestTemplate.jsessionid);
HttpEntity requestEntity = new HttpEntity(null, requestHeaders);

ResponseEntity rssResponse = rest.exchange(
"http://192.168.178.60:8080/dashboard",
HttpMethod.GET,
requestEntity,
String.class);

String abc = (String) rssResponse.getBody();

最佳答案

Spring 的 RestTemplate 默认情况下不跟踪 cookie。这可以确保您不会意外地从一个用户代表另一用户传递 cookie(即 JSESSIONID)(即考虑在许多用户使用相同 RestTemplate 的服务器上使用 RestTemplate)。

如果您想这样做,您可以使用如下方式进行配置:

RestTemplate rest = new RestTemplate();

// initialize the RequestFactory to allow cookies
HttpClient httpClient = HttpClientBuilder.create().build();
ClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);
rest.setRequestFactory(factory);

MultiValueMap<String, String> map = new LinkedMultiValueMap<String, String>();
map.add("username", "user");
map.add("password", "password");

String result = rest.postForObject("http://localhost:8080/login", map, String.class);

String hello = rest.postForObject("http://localhost:8080/", map, String.class);

assertThat(hello).isEqualTo("Hello");

要使用此代码,您需要确保类路径上有 httpclient。例如,如果您使用 Maven,则 pom.xml 中可能包含以下内容:

<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5</version>
</dependency>

显然,您需要确保包含适用于您的依赖项的 httpclient 版本。

关于java - Spring 安全 : Not acknowledging cookie set in RestTemplate,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/31343508/

27 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com