我試圖設置一個非常基本的spring引導身份驗證的應用程序。我在客戶端設置授權標題並將其發送到後端。我可以驗證客戶端是否發送了正確的標題。Spring Boot Authorization Basic Header Never Changes
後端正確地接收在第一次嘗試登錄的標題。但是,如果登錄憑證不正確,那麼後續請求會保留初始請求的頭部(緩存它或某物)。
我使用Redis的緩存會話。我的配置如下:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired AuthenticationEntryPoint authenticationEntryPoint;
@Autowired CsrfTokenRepository csrfTokenRepository;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.csrf()
.disable()
.authorizeRequests().antMatchers("**")
.permitAll()
.anyRequest()
.authenticated()
;
}
}
的AuthenticationEntryPoint
public class AuthenticationEntryPointBean {
@Bean
AuthenticationEntryPoint authenticationEntryPoint() {
return new RestAuthenticationEntryPoint();
}
}
任何方向,將不勝感激。
**編輯** 添加緩存設置
@Configuration
@EnableRedisHttpSession
public class HttpSessionConfig {
@Bean
public JedisConnectionFactory connectionFactory() {
return new JedisConnectionFactory(); // <2>
}
}
而且我想無效緩存,但似乎並沒有工作
@CrossOrigin
@RequestMapping(value="/auth/login", method = RequestMethod.GET, produces="application/json")
public @ResponseBody String login(@RequestHeader(name = "authorization") String authorization, HttpSession session, HttpServletRequest request)
{
try
{
authorization = authorization.substring("Basic ".length());
String decoded = new String(Base64.getDecoder().decode(authorization),"UTF-8");
Gson gson = new Gson();
LoginRequest login = gson.fromJson(decoded,LoginRequest.class);
UserAuthenticationEntity entity = service.getSecurityContext(login).orElseThrow(() ->
new BadCredentialsException("Authentication Failed.")
);
session.setMaxInactiveInterval((int)TimeUnit.MINUTES.toSeconds(expiresInMinutes));
SecurityContextHolder.getContext().setAuthentication(new EntityContext(entity,expiresInMinutes));
String response = gson.toJson(BasicResponse.SUCCESS);
return response;
}
catch (Exception e)
{
session.invalidate();
e.printStackTrace();
throw new AuthenticationCredentialsNotFoundException("Authentication Error");
}
}
你可能需要在這個問題你的緩存配置。一種非常規的猜測是,緩存配置不正確,因此它不知道在失敗登錄時使緩存內容無效,因此它只是返回緩存的會話信息。 – Ickster
包含在編輯 –