【发布时间】:2021-08-06 22:57:14
【问题描述】:
这是我的 Spring 安全配置
@EnableWebSecurity
public class SecurityConfigurer extends WebSecurityConfigurerAdapter {
@Autowired
private MyUserDetailsService myUserDetailService;
@Autowired
private JwtRequestFilter jwtRequestFilter;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(myUserDetailService);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers(
"api/authenticate/**", "/v2/api-docs", "/configuration/ui",
"/swagger-resources/**", "/configuration/**", "/swagger-ui.html", "/webjars/**",
"/register", "/api/addAdmin", "/api/authenticate", "/api/allAvailableTentsInExactTimeslotsRange",
"/actuator/**","/api/resident","/api/fetch-login-page"
)
.permitAll()
.anyRequest()
.authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS); // Tell Spring Security to create sessions
http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
// I don't want to do any hashing
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
@Bean
public AuthenticationManager authenticationmanager() throws Exception{
return super.authenticationManager();
}
}
这是我的控制器类
@RestController
@RequestMapping("/api")
@CrossOrigin(origins = "*")
public class LoginPageController {
final LoginPageRepository loginPageRepository;
final LoginPageServiceImpl loginPageServiceImpl;
public LoginPageController(LoginPageRepository loginPageRepository, LoginPageServiceImpl loginPageServiceImpl) {
this.loginPageRepository = loginPageRepository;
this.loginPageServiceImpl = loginPageServiceImpl;
}
@ApiOperation(value = "Retrieve the login page customisation", response = LoginPageDto.class)
@ApiResponses(value = {
@ApiResponse(code = 200, response = LoginPageDto.class, message = "Successfully retrieved login page"),
@ApiResponse(code = 401, message = "You are not authorized to view the resource"),
@ApiResponse(code = 403, message = "Accessing the resource you were trying to reach is forbidden"),
@ApiResponse(code = 404, message = "The resource you were trying to reach is not found")})
@GetMapping(value = "/fetch-login-page")
public ResponseEntity<LoginPageDto> fetchLoginPage() {
LoginPageDto tempLoginPageFto = loginPageServiceImpl.loginPageEntityToLoginPageDto(loginPageRepository.findFirstByLoginPageId(1L));
return ResponseEntity.ok(tempLoginPageFto);
}
}
如果我从 swagger 调用我的端点,它就像一个魅力而无需任何身份验证
但是,当我尝试从移动模拟器调用端点时,我在服务器站点上收到此错误:
2021-08-03 22:41:16.782 DEBUG 3088 --- [nio-8083-exec-3] o.s.security.web.FilterChainProxy : Securing GET /api/fetch-login-page/
2021-08-03 22:41:16.782 DEBUG 3088 --- [nio-8083-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2021-08-03 22:41:16.782 DEBUG 3088 --- [nio-8083-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2021-08-03 22:41:16.783 DEBUG 3088 --- [nio-8083-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Failed to authorize filter invocation [GET /api/fetch-login-page/] with attributes [authenticated]
2021-08-03 22:41:16.783 DEBUG 3088 --- [nio-8083-exec-3] o.s.s.w.a.Http403ForbiddenEntryPoint : Pre-authenticated entry point called. Rejecting access
2021-08-03 22:41:16.783 DEBUG 3088 --- [nio-8083-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2021-08-03 22:41:16.783 DEBUG 3088 --- [nio-8083-exec-3] o.s.security.web.FilterChainProxy : Securing GET /error
2021-08-03 22:41:16.783 DEBUG 3088 --- [nio-8083-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2021-08-03 22:41:16.783 DEBUG 3088 --- [nio-8083-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2021-08-03 22:41:16.783 DEBUG 3088 --- [nio-8083-exec-3] o.s.security.web.FilterChainProxy : Secured GET /error
2021-08-03 22:41:16.786 DEBUG 3088 --- [nio-8083-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
在 Android 应用程序中,我通过改造来进行调用。我知道我必须使用我电脑上的实际 ip 才能完成这项工作。事实上,我有很多没有启用 Spring Security 的应用程序,它们运行良好。
在 android studio 上,这是我的改造配置:
public class RetrofitConfig {
public static Retrofit retrofit;
public static Retrofit getClient() {
if (retrofit == null) {
retrofit = new Retrofit.Builder()
.baseUrl("http://192.168.1.1:8083/api/")
.addConverterFactory(GsonConverterFactory.create())
.build();
}
return retrofit;
}
}
这是我的 API 类
public interface myAPI {
@GET("fetch-login-page/")
Call<MainActivityModel> fetchLoginPage();
}
在这里我实现了实际的调用
public void fetchLoginPage() {
MyAPI myAPI = RetrofitConfig.getClient().create(MyAPI.class);
Call<MainActivityModel> call = myAPI.fetchLoginPage();
call.enqueue(new Callback<MainActivityModel>() {
@Override
public void onResponse(Call<MainActivityModel> call, Response<MainActivityModel> response) {
textViewOtp.setText(response.body().getTextViewOtp());
getSupportActionBar().setTitle(response.body().getSupportActionBarString());
}
@Override
public void onFailure(Call<MainActivityModel> call, Throwable t) {
t.getStackTrace();
}
});
}
在客户端我得到 403
Response{protocol=http/1.1, code=403, message=, url=http://192.168.1.1:8083/api/fetch-login-page/}
你能告诉我我在 spring-security 中缺少什么配置吗?非常感谢!
【问题讨论】:
标签: java android spring spring-boot spring-security