【发布时间】:2014-08-25 17:41:12
【问题描述】:
我已经编写了一个简单的 Spring Web 服务,在我尝试为用户身份验证启用 Web 安全之前它工作正常。
我已经以编程方式为项目设置了所有 spring 配置(我第一次尝试这种方法),我正在使用 spring boot 来启动 web 服务(也是我第一次尝试 spring boot),为此,我正在使用以下 Spring API(spring-boot-starter-ws:1.1+ 和 spring-security-xxx:3.+)。
Web Service 端点定义如下:
@Endpoint
public class AWebServiceEndpoint extends WsConfigurerAdapter {
@PayloadRoot(namespace = NAMESPACE_URI, localPart = "aRequest")
@ResponsePayload
public AResponse request(@RequestPayload ARequest request) {
...
Web Service 配置定义如下:
@Configuration
@EnableWs
@ComponentScan
public class WebServiceConfig extends WsConfigurerAdapter {
@Bean
public ServletRegistrationBean dispatcherServlet(ApplicationContext applicationContext) {
MessageDispatcherServlet servlet = new MessageDispatcherServlet();
servlet.setApplicationContext(applicationContext);
return new ServletRegistrationBean(servlet, "/ws/A/Service");
}
....
网络安全配置定义如下:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests().antMatchers("/**").hasRole("alogin").and().httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("testuser").password("password").roles("alogin");
}
}
当我调用配置了 Web 安全的 Web 服务时,我得到以下 spring 调试堆栈跟踪:
04-Jul-2014 12:21:07,084 [DEBUG] HttpServletBean - Initializing servlet 'messageDispatcherServlet'
04-Jul-2014 12:21:07,085 [DEBUG] MutablePropertySources - Adding [servletConfigInitParams] PropertySource with lowest search precedence
04-Jul-2014 12:21:07,085 [DEBUG] MutablePropertySources - Adding [servletContextInitParams] PropertySource with lowest search precedence
04-Jul-2014 12:21:07,085 [DEBUG] MutablePropertySources - Adding [jndiProperties] PropertySource with lowest search precedence
04-Jul-2014 12:21:07,085 [DEBUG] MutablePropertySources - Adding [systemProperties] PropertySource with lowest search precedence
04-Jul-2014 12:21:07,085 [DEBUG] MutablePropertySources - Adding [systemEnvironment] PropertySource with lowest search precedence
04-Jul-2014 12:21:07,085 [DEBUG] AbstractEnvironment - Initialized StandardServletEnvironment with PropertySources [servletConfigInitParams,servletContextInitParams,jndiProperties,systemProperties,systemEnvironment]
04-Jul-2014 12:21:07,086 [INFO ] FrameworkServlet - FrameworkServlet 'messageDispatcherServlet': initialization started
04-Jul-2014 12:21:07,087 [DEBUG] AbstractBeanFactory - Returning cached instance of singleton bean 'messageFactory'
04-Jul-2014 12:21:07,093 [DEBUG] AbstractBeanFactory - Returning cached instance of singleton bean 'defaultMethodEndpointAdapter'
04-Jul-2014 12:21:07,093 [DEBUG] AbstractBeanFactory - Returning cached instance of singleton bean 'soapFaultAnnotationExceptionResolver'
04-Jul-2014 12:21:07,093 [DEBUG] AbstractBeanFactory - Returning cached instance of singleton bean 'simpleSoapExceptionResolver'
04-Jul-2014 12:21:07,093 [DEBUG] AbstractBeanFactory - Returning cached instance of singleton bean 'payloadRootAnnotationMethodEndpointMapping'
04-Jul-2014 12:21:07,093 [DEBUG] AbstractBeanFactory - Returning cached instance of singleton bean 'soapActionAnnotationMethodEndpointMapping'
04-Jul-2014 12:21:07,094 [DEBUG] AbstractBeanFactory - Returning cached instance of singleton bean 'annotationActionEndpointMapping'
04-Jul-2014 12:21:07,094 [DEBUG] MessageDispatcherServlet - No MessageDispatcher found in servlet 'messageDispatcherServlet': using default
04-Jul-2014 12:21:07,094 [DEBUG] AbstractBeanFactory - Returning cached instance of singleton bean 'request'
04-Jul-2014 12:21:07,094 [DEBUG] MessageDispatcherServlet - Published [org.springframework.ws.wsdl.wsdl11.DefaultWsdl11Definition@7ec50147] as request.wsdl
04-Jul-2014 12:21:07,095 [DEBUG] AbstractBeanFactory - Returning cached instance of singleton bean 'requestSchema'
04-Jul-2014 12:21:07,095 [DEBUG] MessageDispatcherServlet - Published [SimpleXsdSchema{http://www.destin8.co.uk/Chief}] as requestSchema.xsd
04-Jul-2014 12:21:07,095 [DEBUG] FrameworkServlet - Published WebApplicationContext of servlet 'messageDispatcherServlet' as ServletContext attribute with name [org.springframework.web.servlet.FrameworkServlet.CONTEXT.messageDispatcherServlet]
04-Jul-2014 12:21:07,095 [INFO ] FrameworkServlet - FrameworkServlet 'messageDispatcherServlet': initialization completed in 9 ms
04-Jul-2014 12:21:07,095 [DEBUG] HttpServletBean - Servlet 'messageDispatcherServlet' configured successfully
04-Jul-2014 12:21:07,102 [DEBUG] FilterChainProxy$VirtualFilterChain - /ws/A/Service at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
04-Jul-2014 12:21:07,105 [DEBUG] FilterChainProxy$VirtualFilterChain - /ws/A/Service at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
04-Jul-2014 12:21:07,106 [DEBUG] HttpSessionSecurityContextRepository - No HttpSession currently exists
04-Jul-2014 12:21:07,106 [DEBUG] HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
04-Jul-2014 12:21:07,108 [DEBUG] FilterChainProxy$VirtualFilterChain - /ws/A/Service at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
04-Jul-2014 12:21:07,108 [DEBUG] HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@2d5260f3
04-Jul-2014 12:21:07,108 [DEBUG] FilterChainProxy$VirtualFilterChain - /ws/A/Service at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
04-Jul-2014 12:21:07,108 [DEBUG] AntPathRequestMatcher - Checking match of request : '/ws/a/service'; against '/logout'
04-Jul-2014 12:21:07,108 [DEBUG] FilterChainProxy$VirtualFilterChain - /ws/A/Service at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
04-Jul-2014 12:21:07,109 [DEBUG] FilterChainProxy$VirtualFilterChain - /ws/A/Service at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
04-Jul-2014 12:21:07,109 [DEBUG] FilterChainProxy$VirtualFilterChain - /ws/A/Service at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
04-Jul-2014 12:21:07,110 [DEBUG] FilterChainProxy$VirtualFilterChain - /ws/A/Service at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
04-Jul-2014 12:21:07,111 [DEBUG] AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
04-Jul-2014 12:21:07,111 [DEBUG] FilterChainProxy$VirtualFilterChain - /ws/A/Service at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
04-Jul-2014 12:21:07,111 [DEBUG] SessionManagementFilter - Requested session ID A90A65C310CD0D87A9588F386BC51071 is invalid.
04-Jul-2014 12:21:07,111 [DEBUG] FilterChainProxy$VirtualFilterChain - /ws/A/Service at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
04-Jul-2014 12:21:07,112 [DEBUG] FilterChainProxy$VirtualFilterChain - /ws/A/Service at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
04-Jul-2014 12:21:07,112 [DEBUG] AntPathRequestMatcher - Request '/ws/a/service' matched by universal pattern '/**'
04-Jul-2014 12:21:07,112 [DEBUG] AbstractSecurityInterceptor - Secure object: FilterInvocation: URL: /ws/A/Service; Attributes: [hasRole('ROLE_alogin')]
04-Jul-2014 12:21:07,113 [DEBUG] AbstractSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
04-Jul-2014 12:21:07,115 [DEBUG] AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1bfa3f4c, returned: -1
04-Jul-2014 12:21:07,116 [DEBUG] AbstractBeanFactory - Returning cached instance of singleton bean 'org.springframework.integration.internalMessagingAnnotationPostProcessor'
04-Jul-2014 12:21:07,117 [DEBUG] ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-core-3.2.4.RELEASE.jar:3.2.4.RELEASE]
当我调用网络服务时,我肯定是在设置授权用户名和密码。
是否需要设置任何其他配置选项才能启用网络安全并使其正常工作?
提前致谢, 下午。
【问题讨论】:
-
我可以看到
BasicAuthenticationFilter正在发射。您是如何验证您的请求的? -
我正在使用 Soap UI 来触发我在“身份验证和安全相关设置”选项卡下设置用户名和密码值的请求。
-
我对 Soap UI 无能为力,但问题似乎就在那里。也许它没有使用基本身份验证?也许这是一个设置?您可以使用 curl 进行控制并在命令行上提供凭据。
-
按照您的建议使用 curl 进行了尝试,然后请求对用户进行了身份验证,所以谢谢!所以似乎是 Soap UI 以不同的方式发送请求?奇怪,因为我将 Soap UI 与其他安全 Web 服务一起使用,并且通常身份验证工作正常! (顺便说一下,Soap UI v4.5.0)。再次感谢!
-
现在可以使用 Soap UI。在 Soap UI 中,我还需要在 Soap UI 的首选项(在 HTTP 设置选项卡下)中勾选“抢先验证”框。 @Dave Syer,如果您将答案作为问题的实际答案发布,那么我可以接受它,以便将其标记为已回答。再次感谢,PM。
标签: spring spring-security spring-boot