java Sping Boot Basic Authentication without Session(无状态会话)

iyr7buue  于 2023-03-21  发布在  Java
关注(0)|答案(3)|浏览(74)

我已经配置了基本身份验证我的Spring-Boot应用程序。一切都是Java Config,没有xml。

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // Authenticate username -> admin, password -> admin & set role as "ROLE_USER"
        auth.inMemoryAuthentication().withUser("admin").password("admin").roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()
            .antMatchers("/login").permitAll()
            // All Requests should be Authenticated
            .anyRequest().authenticated()
            .and()
            // Enable Basic Authentication
            .httpBasic()
            .and()
            .formLogin()
                .loginPage("/login")
                .defaultSuccessUrl("/main", true)
                .loginProcessingUrl("/session")
                .usernameParameter("Username").passwordParameter("Password")
            .and()
            .logout().logoutUrl("/logout").permitAll()
            .and().csrf().disable();
    }

}

它被配置为基本身份验证和正常形式登录。当我在Firefox上测试Rest-Client的基本身份验证时,我可以访问安全URL“/main”。但在响应头中,我得到Set-Cookie: JSESSIONID=301225C7AE7C74B0892887389996785D;
我不希望为基本身份验证生成cookie。我希望为基本身份验证生成真正的Stateless session。请注意,我需要为表单登录生成cookie才能工作,因此禁用cookie不是一个选项。我知道xml配置中的create-session="stateless",但是否有任何方法可以在Java配置中做同样的事情,以便基本身份验证是无状态的,表单身份验证是有状态的..?

mrfwxfqh

mrfwxfqh1#

I know about the create-session="stateless" in xml configuration, but is there any way to do the same in Java config so that Basic Authentication is Stateless and Form-Authentication is Statefull..?

您可以执行以下操作。

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.sessionManagement()
    .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}

对于您的问题,可以使用以下自定义Java Config。

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig {

    @Inject
    UserDetailsService userService;

    @Bean
    public AuthenticationManager authenticationManager() throws Exception {
        AuthenticationManager authenticationManager = new ProviderManager(
                Arrays.asList(authenticationProvider()));
        return authenticationManager;
    }

    @Bean
    public AuthenticationProvider authenticationProvider() throws Exception {
        CustomAuthenticationProvider authenticationProvider = new CustomAuthenticationProvider();
        authenticationProvider.setUserDetailsService(userService);
        authenticationProvider.setSaltSource(saltSource());
        authenticationProvider.setPasswordEncoder(passwordEncoder());
        authenticationProvider.afterPropertiesSet();
        return authenticationProvider;
    }

    @Bean
    public SaltSource saltSource() throws Exception {
        ReflectionSaltSource saltSource = new ReflectionSaltSource();
        saltSource.setUserPropertyToUse("salt");
        saltSource.afterPropertiesSet();
        return saltSource;
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new Md5PasswordEncoder();
    }

    @Bean
    public FilterChainProxy springSecurityFilterChain()
            throws ServletException, Exception {
        List<SecurityFilterChain> securityFilterChains = new ArrayList<SecurityFilterChain>();
        securityFilterChains.add(new DefaultSecurityFilterChain(
                new AntPathRequestMatcher("/login**")));
        securityFilterChains.add(new DefaultSecurityFilterChain(
                new AntPathRequestMatcher("/resources/**")));
        securityFilterChains.add(new DefaultSecurityFilterChain(
                new AntPathRequestMatcher("/api/**"),
                securityContextPersistenceFilterASCFalse(),
                basicAuthenticationFilter(), exceptionTranslationFilter(),
                filterSecurityInterceptor()));
        securityFilterChains.add(new DefaultSecurityFilterChain(
                new AntPathRequestMatcher("/**"),
                securityContextPersistenceFilterASCTrue(), logoutFilter(),
                usernamePasswordAuthenticationFilter(),
                exceptionTranslationFilter(), filterSecurityInterceptor()));
        return new FilterChainProxy(securityFilterChains);
    }

    @Bean
    public SecurityContextPersistenceFilter securityContextPersistenceFilterASCTrue() {
        return new SecurityContextPersistenceFilter(
                new HttpSessionSecurityContextRepository());
    }

    @Bean
    public SecurityContextPersistenceFilter securityContextPersistenceFilterASCFalse() {
        HttpSessionSecurityContextRepository httpSessionSecurityContextRepository = new HttpSessionSecurityContextRepository();
        httpSessionSecurityContextRepository.setAllowSessionCreation(false);
        return new SecurityContextPersistenceFilter(
                httpSessionSecurityContextRepository);
    }

    @Bean
    public ExceptionTranslationFilter exceptionTranslationFilter() {
        ExceptionTranslationFilter exceptionTranslationFilter = new ExceptionTranslationFilter(
                new LoginUrlAuthenticationEntryPoint("/login"));
        AccessDeniedHandlerImpl accessDeniedHandlerImpl = new AccessDeniedHandlerImpl();
        accessDeniedHandlerImpl.setErrorPage("/exception");
        exceptionTranslationFilter
                .setAccessDeniedHandler(accessDeniedHandlerImpl);
        exceptionTranslationFilter.afterPropertiesSet();
        return exceptionTranslationFilter;
    }

    @Bean
    public UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter()
            throws Exception {
        UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter = new UsernamePasswordAuthenticationFilter();
        usernamePasswordAuthenticationFilter
                .setAuthenticationManager(authenticationManager());
        usernamePasswordAuthenticationFilter.setAllowSessionCreation(true);
        SimpleUrlAuthenticationSuccessHandler successHandler = new SimpleUrlAuthenticationSuccessHandler(
                "/index");
        successHandler.setAlwaysUseDefaultTargetUrl(true);
        usernamePasswordAuthenticationFilter
                .setAuthenticationSuccessHandler(successHandler);
        usernamePasswordAuthenticationFilter
                .setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler(
                        "/login?error=true"));
        usernamePasswordAuthenticationFilter
                .setAuthenticationDetailsSource(new CustomWebAuthenticationDetailsSource());
        usernamePasswordAuthenticationFilter.afterPropertiesSet();

        return usernamePasswordAuthenticationFilter;

    }

    @Bean
    public FilterSecurityInterceptor filterSecurityInterceptor()
            throws Exception {
        FilterSecurityInterceptor filterSecurityInterceptor = new FilterSecurityInterceptor();
        filterSecurityInterceptor
                .setAuthenticationManager(authenticationManager());
        filterSecurityInterceptor
                .setAccessDecisionManager(accessDecisionManager());
        filterSecurityInterceptor.setRunAsManager(runAsManager());
        LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap = new LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>();
        List<ConfigAttribute> configs = new ArrayList<ConfigAttribute>();
        configs.add(new org.springframework.security.access.SecurityConfig(
                "isAuthenticated()"));
        requestMap.put(new AntPathRequestMatcher("/**"), configs);
        FilterInvocationSecurityMetadataSource filterInvocationSecurityMetadataSource = new ExpressionBasedFilterInvocationSecurityMetadataSource(
                requestMap, new DefaultWebSecurityExpressionHandler());
        filterSecurityInterceptor
                .setSecurityMetadataSource(filterInvocationSecurityMetadataSource);
        filterSecurityInterceptor.afterPropertiesSet();

        return filterSecurityInterceptor;
    }

    public AffirmativeBased accessDecisionManager() throws Exception {
        List<AccessDecisionVoter> voters = new ArrayList<AccessDecisionVoter>();
        voters.add(new WebExpressionVoter());
        voters.add(new RoleVoter());
        AffirmativeBased affirmativeBased = new AffirmativeBased(voters);
        affirmativeBased.setAllowIfAllAbstainDecisions(false);
        affirmativeBased.afterPropertiesSet();

        return affirmativeBased;
    }

    @Bean
    public RunAsManager runAsManager() throws Exception {
        RunAsManagerImpl runAsManager = new RunAsManagerImpl();
        runAsManager.setKey("V_RUN_AS");
        runAsManager.afterPropertiesSet();
        return runAsManager;
    }

    @Bean
    public LogoutFilter logoutFilter() throws ServletException {
        List<LogoutHandler> handlers = new ArrayList<LogoutHandler>();
        handlers.add(new CookieClearingLogoutHandler("JSESSIONID"));
        handlers.add(new SecurityContextLogoutHandler());
        LogoutFilter logoutFilter = new LogoutFilter("/login",
                handlers.toArray(new LogoutHandler[] {}));
        logoutFilter.afterPropertiesSet();
        return logoutFilter;
    }

    @Bean
    public RequestContextFilter requestContextFilter() {
        return new RequestContextFilter();
    }

    @Bean
    public BasicAuthenticationFilter basicAuthenticationFilter()
            throws Exception {
        BasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new BasicAuthenticationEntryPoint();
        basicAuthenticationEntryPoint.setRealmName("V_REALM");
        basicAuthenticationEntryPoint.afterPropertiesSet();
        BasicAuthenticationFilter basicAuthenticationFilter = new BasicAuthenticationFilter(
                authenticationManager(), basicAuthenticationEntryPoint);
        basicAuthenticationFilter
                .setAuthenticationDetailsSource(new CustomWebAuthenticationDetailsSource());
        basicAuthenticationFilter.afterPropertiesSet();
        return basicAuthenticationFilter;
    }
}

此配置创建两种不同的身份验证机制。
对于任何以/api/*开头的请求,它将使用basicAuthenticationFiltersecurityContextPersistenceFilterASCFalse,并带有Session Creation False。
对于任何以/*开头的请求,它将使用usernamePasswordAuthenticationFiltersecurityContextPersistenceFilterASCTrue,并设置Session Creation True。
你可以利用这一点,并改变它,以满足您的问题。

8zzbczxx

8zzbczxx2#

对于其他遇到这个问题的人,这里还有一些需要检查的东西。
我在Sping Boot 中遇到了同样的问题,甚至

sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)

我仍然看到JSESSIONID cookie被设置。在我的情况下(使用JWT),缺少的部分似乎是在HttpSessionSecurityContextRepository对象上设置setAllowSessionCreation,如下所示:

public class StatelessAuthenticationFilter extends GenericFilterBean {
        private final MyTokenAuthService authenticationService;
        private SecurityContextRepository repository = new HttpSessionSecurityContextRepository();
        protected final Logger logger = LoggerFactory.getLogger(getClass().getName());

        public StatelessAuthenticationFilter(MyTokenAuthService authenticationService) {
            this.authenticationService = authenticationService;
            ((HttpSessionSecurityContextRepository) repository).setAllowSessionCreation(false);
        }
     }

这是HttpSessionSecurityContextRepository中的这些行:

private boolean allowSessionCreation = true;
jdg4fx2g

jdg4fx2g3#

您需要在HttpSecurity对象中添加sessionCreationPolicy(SessionCreationPolicy.STATELESS),如下所示:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Value("${basic.auth.username}")
private String basicAuthUsername;
@Value("${basic.auth.password}")
private String basicAuthPassword;

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .csrf().disable()
            .authorizeRequests().anyRequest().authenticated()
            .and()
            .httpBasic();
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
        throws Exception {
    auth.inMemoryAuthentication()
            .withUser(basicAuthUsername)
            .password("{noop}" + basicAuthPassword)
            .roles("USER"); // prefix ROLE_ is automatically added
}

}

相关问题