【发布时间】:2019-07-06 23:17:26
【问题描述】:
我的 Spring 后端和 AngularJS 前端出现问题。作为一个信息,我对 Spring Security 很陌生,并且也在学习这个项目。
我没有使用 SpringBoot。两者都单独工作,并且应该能够在单独的机器上运行。 ATM 我的前端通过 https://localhost:3000 上的 gulp 服务器在本地运行,后端在 https://localhost:8443/context 上的 Tomcat 中运行。我在 Java 中设置了CORSFilter。
到目前为止,一切都很好。如果我启动前端,则会对后端进行调用以获取资源,并且我正在查看登录页面。如果我选择登录,则会按预期拨打https://localhost:8443/context/login 的电话。 但是:在后台处理登录后,后台重定向到https://localhost:8443/context而不是https://localhost:3000,当然会创建一个 404 并导致登录失败(前端)。我只是找不到这个奇怪的重定向是在哪里进行的。
SpringSecurityConfig:
private static final String C440_LOGIN = "/login";
private static final String c440_START_PAGE = "/index.html";
private static final String FAVICON_ICO = "/favicon.ico";
@Override
protected void configure(HttpSecurity http) throws Exception {
// HttpSecurity workHttp = http.addFilterBefore(new CORSFilter(), SessionManagementFilter.class); does not work!
HttpSecurity workHttp = http.addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class);
workHttp.addFilterBefore(new CookieFilter(), ChannelProcessingFilter.class);
workHttp.addFilterBefore(getUsernamePasswordPortalAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
// set authorizations
workHttp = authorizeRequests(http);
// login handling
workHttp = formLogin(workHttp);
// exception handling
workHttp = exceptionHandling(workHttp);
// logout handling
workHttp = logout(workHttp);
// cookie handling
workHttp = rememberMe(workHttp);
// disable caching because if IE11 webfonds bug
// https://stackoverflow.com/questions/7748140/font-face-eot-not-loading-over-https
http.headers().cacheControl().disable();
csrf(workHttp);
}
/**
* Configures request authorization.
*
* @param http The security configuration.
* @return The configured security configuration.
* @throws Exception is throws if the configuration fails.
*/
protected HttpSecurity authorizeRequests(HttpSecurity http) throws Exception {
return http
.authorizeRequests()
// secured pages
.antMatchers("/", getCustomerdWebRessourceSecuredPath()).authenticated()
// common resources
.antMatchers("/app/**").permitAll()
.antMatchers("/profiles/**").permitAll()
.antMatchers("/captcha/**").permitAll()
.antMatchers("/", getCustomerRessourcePath()).permitAll()
.antMatchers("/", getCustomerWebRessourcePath()).permitAll()
.antMatchers("/", c440_START_PAGE).permitAll()
.antMatchers("/", FAVICON_ICO).permitAll()
.antMatchers(C440_LOGIN).permitAll()
// frontend services
.antMatchers("/services/userService/**").permitAll()
.antMatchers("/services/applicationService/**").permitAll()
.antMatchers("/services/textContentService/**").permitAll()
.antMatchers("/services/textContentBlockService/**").permitAll()
.antMatchers("/services/menuItemService/**").permitAll()
.antMatchers("/services/calculatorService/**").permitAll()
.anyRequest().authenticated()
.and();
}
private String getCustomerRessourcePath() {
return "/resources/app-" + portalFrontendBase + "/**";
}
private String getCustomerWebRessourcePath() {
return "/app-" + portalFrontendBase + "/**";
}
private String getCustomerdWebRessourceSecuredPath() {
return "/app-" + portalFrontendBase + "/secure/**";
}
/**
* Configures form login.
*
* @param http The security configuration.
* @return The configured security configuration.
* @throws Exception is throws if the configuration fails.
*/
protected HttpSecurity exceptionHandling(HttpSecurity http) throws Exception {
return http
.exceptionHandling()
.authenticationEntryPoint((request, response, authException) -> {
if (authException != null) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
/**
* IMPORTANT: do not redirect the requests. The front-end will be responsible to do this.
* Otherwise the unauthorized status cannot be caught in the front-end correctly.
*/
return;
}
})
.and();
}
/**
* Configures form login.
*
* @param http The security configuration.
* @return The configured security configuration.
* @throws Exception is throws if the configuration fails.
*/
protected HttpSecurity formLogin(HttpSecurity http) throws Exception {
return http
.formLogin()
.loginPage(c440_START_PAGE)
.successHandler(getAuthenticationSuccessHandler())
.failureHandler(getAuthenticationFailureHandler())
.loginProcessingUrl(C440_LOGIN)
.permitAll()
.and();
}
/**
* Configures logout.
*
* @param http The security configuration.
* @return The configured security configuration.
* @throws Exception is throws if the configuration fails.
*/
protected HttpSecurity logout(HttpSecurity http) throws Exception {
return http
.logout()
.logoutUrl(portalLogoutURL)
.addLogoutHandler(getLogoutHandler())
.logoutSuccessHandler(getLogoutSuccessHandler())
.invalidateHttpSession(true)
.and();
}
@Bean
public UsernamePasswordPortalAuthenticationFilter getUsernamePasswordPortalAuthenticationFilter() throws Exception {
UsernamePasswordPortalAuthenticationFilter customFilter = new UsernamePasswordPortalAuthenticationFilter();
customFilter.setAuthenticationManager(authenticationManagerBean());
return customFilter;
}
UsernamePasswordPortalAuthenticationFilter.java:
@PropertySource(value = {"classpath:application.properties"})
public class UsernamePasswordPortalAuthenticationFilter extends
UsernamePasswordAuthenticationFilter {
private Logger log = Logger.getLogger(this.getClass());
@Value("${captchaActive}")
private boolean captchaActive;
@Override
public AuthenticationManager getAuthenticationManager() {
return super.getAuthenticationManager();
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
UsernamePasswordPortalAuthenticationToken authRequest = getAuthenticationTokenFromRequest(request);
return getAuthenticationManager().authenticate(authRequest);
}
/**
* Reads the UsernamePasswordPortalAuthenticationToken from the data of the request.
*
* @param request The request to read the data from.
* @return The authentication token.
* @throws AuthenticationException is thrown if the data cannot be read.
*/
public UsernamePasswordPortalAuthenticationToken getAuthenticationTokenFromRequest(final HttpServletRequest request) throws AuthenticationException {
StringBuffer buf = new StringBuffer();
String line = null;
try {
BufferedReader reader = request.getReader();
while ((line = reader.readLine()) != null) {
buf.append(line);
}
UsernamePasswordPortalAuthenticationToken loginDataWithCaptcha =
new ObjectMapper().readValue(buf.toString(), UsernamePasswordPortalAuthenticationToken.class);
if (this.captchaActive) {
String answer = (String) request.getSession().getAttribute("COLLPHIRCAPTCHA");
List<CaptchaCookieDto> captchaCookieDtos;
captchaCookieDtos = (List<CaptchaCookieDto>) request.getAttribute("captchaCookies");
CaptchaCookieDto captchaCookieDto = captchaCookieDtos.stream().filter(captchaCookie -> captchaCookie.getUsername().equals(
loginDataWithCaptcha.getUsername())).findAny().orElse(null);
if (captchaCookieDto != null && captchaCookieDto.getCounter() >= 2) {
if (answer.equals(loginDataWithCaptcha.getConfirmCaptcha())) {
return new ObjectMapper().readValue(loginDataWithCaptcha.loginDataToStringWithoutCaptcha(),
UsernamePasswordPortalAuthenticationToken.class);
} else {
throw new BadCredentialsException("invalid data");
}
} else {
return new ObjectMapper().readValue(loginDataWithCaptcha.loginDataToStringWithoutCaptcha(),
UsernamePasswordPortalAuthenticationToken.class);
}
} else {
return new ObjectMapper().readValue(loginDataWithCaptcha.loginDataToStringWithoutCaptcha(), UsernamePasswordPortalAuthenticationToken.class);
}
} catch (Exception e) {
throw new BadCredentialsException("invalid data");
}
}
}
我尝试更改我的两个自定义过滤器(CORSFilter 和 CookieFilter)的顺序,或者将 CORSFilter 放在其他位置(addFilterBefore SessionManagementFilter 不起作用,如果我这样做,登录 -由于缺少 CORS 标头,调用将无法正常工作)以及几乎所有其他内容......
我还尝试使用来自https://www.baeldung.com/spring_redirect_after_login 的authsuccesshandler 的想法,在该想法中,我只得到请求origin 标头(应该是前端URL https://localhost:3000)来重定向回它:
@Component
public class MyTestAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
private Logger LOG = Logger.getLogger(this.getClass());
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
public MyTestAuthenticationSuccessHandler() {
super();
setUseReferer(true);
}
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication auth) throws IOException {
LOG.info("onAuthenticationSuccess");
SecurityContextHolder.getContext().setAuthentication(auth);
handle(request, response, auth);
}
protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication auth) throws IOException {
String targetUrl = determineTargetUrl(request);
if (response.isCommitted()) {
LOG.info("Response has already been committed. Unable to redirect to " + targetUrl);
return;
}
redirectStrategy.sendRedirect(request, response, targetUrl);
}
protected String determineTargetUrl(HttpServletRequest request) {
return request.getHeader("Origin");
}
}
但它仍然不起作用。
另外,如果我尝试调试后端并在authsuccesshandler 和authfailurehandler 内设置断点,它仍然不会停在那里。不应该就此打住吗?
.formLogin()
.loginPage(c440_START_PAGE)
.successHandler(getAuthenticationSuccessHandler())
.failureHandler(getAuthenticationFailureHandler())
.loginProcessingUrl(C440_LOGIN)
.permitAll()
.and();
我真的不明白这个重定向发生在哪里以及为什么它不会使用我的新authsuccesshandler。
更新 07.03.19: 似乎根本没有调用 successhandler,即使我将前端和后端都部署在与一个捆绑的 WAR 文件,它使登录再次工作。奇怪的是,即使我从 SecurityConfig 内的配置方法中删除了 .formLogin() 东西,登录仍然有效。所以我想看起来所有的魔法都发生在我们自定义的 UsernamePasswordAuthenticationFilter 中调用的 AuthenticationProvider 中:
UsernamePasswordAuthenticationFilter
[...]
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
UsernamePasswordPortalAuthenticationToken authRequest = getAuthenticationTokenFromRequest(request);
return getAuthenticationManager().authenticate(authRequest);
}
[...]
AuthenticationProvider:
[...]
@Override
public CollphirAuthentication authenticate(Authentication authentication) throws AuthenticationException {
if (authentication == null) {
throw new IllegalArgumentException("authentication");
}
if (UsernamePasswordPortalAuthenticationToken.class.isAssignableFrom(authentication.getClass())) {
UsernamePasswordPortalAuthenticationToken clientAuthentication = (UsernamePasswordPortalAuthenticationToken) authentication;
CollphirUser user = getUserService().loginUser(
clientAuthentication.getName(), clientAuthentication.getCredentials().toString(), clientAuthentication.getPortal(), clientAuthentication.getArbeitgeber());
CollphirAuthentication auth = null;
if (user == null || user.getBenutzerkennung() == null || user.getCOLRolle() == null) {
LOG.info("authentication failed");
Notification[] notifications = user.getNotifications();
String msg = null;
if (notifications != null && notifications[0] != null && notifications[0].getText() != null) {
msg = notifications[0].getText();
}
throw new BadCredentialsException(msg);
}
Referenz arbeitgeberReference = getArbeitgeberReference(user, clientAuthentication.getPortal(), clientAuthentication.getArbeitgeber());
auth = new CollphirAuthentication(user, arbeitgeberReference);
auth.setArbeitgeber(getArbeitgeber( arbeitgeberReference));
LOG.debug("is authenticated: " + auth.isAuthenticated());
return auth;
}
throw new BadCredentialsException("type");
}
[...]
所以我的猜测是:在 UsernamePasswordPortalAuthenticationFilter 或 AuthenticationProvider 内的某个地方进行了重定向。如果我想一想,在通过 REST 调用后端的 AngularJS 前端中,重定向根本没有意义,对吧?后端不应该只发回状态代码或AngularJS控制器可以评估以更改状态或显示错误消息的东西吗?
看起来这个应用程序中的整个登录过程真的很奇怪。我无法想象通常不使用 .formLogin() 和 .successHandler()?问题是,我没有 AngularJS 前端和 Spring Security 后端的最佳实践示例作为比较...
【问题讨论】:
-
在调用 localhost:8443/context/login(返回 302)之后,只有一个对 localhost:8443/context 的 GET-Request 而已......
-
浏览器可能有问题?检查这是否有帮助stackoverflow.com/a/43563899/5383945
-
@Jazib 不,不是这样,但是谢谢!
-
@Vortilion 你使用 Spring Boot 吗?您是否检查过您的配置是否已执行?
-
@Vortilion:你的问题真的很难阅读。你能把你的问题清理干净吗?如果我正确理解您的问题,则您已成功登录,但您的重定向错误。如果这是正确的,那么 CORS 配置可以正常工作,请将其从您的问题中删除。您的
AuthenticationProvider也可以正常工作,请将其从您的问题中删除。
标签: angularjs spring spring-security cors