所以我观察到,当我试图在安全链中使用自定义过滤器时,我没有得到会话cookie。我为什么要这么做?因为我想在JSON中发送用户名和密码,而不是在查询字符串.
我基于此:
https://ckinan.com/blog/spring-security-credentials-from-json-request/
我检查了一下:
Spring security- Send credentials as json instead of regular form in rest service
我的自定义过滤器:
public class CustomFilter extends AbstractAuthenticationProcessingFilter {
protected CustomFilter() {
super(new AntPathRequestMatcher("/login", "POST"));
}
@Override
public Authentication attemptAuthentication(
HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
String username, password;
try {
Map<String, String> requestMap = new ObjectMapper().readValue(request.getInputStream(), Map.class);
username = requestMap.get("username");
password = requestMap.get("password");
} catch (IOException e) {
throw new AuthenticationServiceException(e.getMessage(), e);
}
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);
return this.getAuthenticationManager().authenticate(authRequest);
}
}我的securityConfig:
public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {
return authConfig.getAuthenticationManager();
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
CustomFilter mupaf = new CustomFilter();
mupaf.setAuthenticationManager(authenticationManager(authenticationManagerBuilder));
http.csrf(AbstractHttpConfigurer::disable)
.sessionManagement((sessionManagement) ->
sessionManagement.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.sessionFixation().changeSessionId())
.authorizeHttpRequests((authorizeHttpRequests) ->
authorizeHttpRequests.requestMatchers("/index").permitAll()
.requestMatchers("/login").permitAll()
.anyRequest().authenticated()
).addFilterAt(mupaf, UsernamePasswordAuthenticationFilter.class
)
.logout((logout) ->
logout.deleteCookies("remove")
.invalidateHttpSession(false)
.logoutSuccessUrl("/index")
);
return http.build();
}服务器回答:
❯ curl -X POST http://localhost:8080/login -H 'Content-Type: application/json' -d '{"username":"admin","password":"pass"}' -i
HTTP/1.1 302
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:8080/
Content-Length: 0
Date: Sun, 08 Oct 2023 21:39:46 GMT当我禁用过滤器响应是:
❯ curl -X POST http://localhost:8080/login\?username\=ADMIN\&password\=pass -i
HTTP/1.1 302
Set-Cookie: SESSION=40E7A645752D0AACFA52C79D5DEA10EF; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:8080/
Content-Length: 0
Date: Sun, 08 Oct 2023 21:41:20 GMT安全配置看起来像这样:
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.csrf(AbstractHttpConfigurer::disable)
.sessionManagement((sessionManagement) ->
sessionManagement.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.sessionFixation().changeSessionId())
.authorizeHttpRequests((authorizeHttpRequests) ->
authorizeHttpRequests.requestMatchers("/index").permitAll()
.requestMatchers("/login").permitAll()
.anyRequest().authenticated()
).formLogin((formLogin) ->
formLogin.defaultSuccessUrl("/success", true)
.failureHandler(customLoginFailureHandler)
.successHandler(customLoginSuccessHandler)
)
.logout((logout) ->
logout.deleteCookies("remove")
.invalidateHttpSession(false)
.logoutSuccessUrl("/index")
);
return http.build();
}
1条答案
按热度按时间hc2pp10m1#