use*_*869 4 ajax grails spring-security
我设置了一个新的grails应用程序(2.3.5)并安装了spring security core plugin(2.0-RC2)
我添加了以下配置(我的'secure/**'urlmappings使用basicAuthenicationFilter):
grails.plugin.springsecurity.logout.postOnly = false
grails.plugin.springsecurity.rejectIfNoRule = true
grails.plugin.springsecurity.fii.rejectPublicInvocations = false
//Enable Basic Auth Filter
grails.plugin.springsecurity.useBasicAuth = true
grails.plugin.springsecurity.basic.realmName = "Example"
grails.plugin.springsecurity.filterChain.chainMap = [
'/secure/**': 'JOINED_FILTERS,-exceptionTranslationFilter',
'app/**': 'JOINED_FILTERS,-basicAuthenticationFilter,-basicExceptionTranslationFilter'
]
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.car.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.car.UserRole'
grails.plugin.springsecurity.authority.className = 'com.car.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/app/**': ['permitAll'],
'/index': ['permitAll'],
'/index.gsp': ['permitAll'],
'/**/js/**': ['permitAll'],
'/**/css/**': ['permitAll'],
'/**/images/**': ['permitAll'],
'/**/favicon.ico': ['permitAll']
]
我在web-app文件夹中有一个角度应用程序.基本上,当我从它发出ajax请求并在基本身份验证标头中提供错误密码时 - 系统会提示我使用默认的浏览器提示.该请求仍在等待中.我是新来理解这一点,但我看起来拦截请求的代码有逻辑提示标头是否存在或无效.
我确信我必须遗漏一些明显的东西,必须有一种简单的方法来配置请求的行为.有这样的配置吗?或者我应该创建一个自定义过滤器?
在这种情况下,当使用HTTP基本身份验证(useBasicAuth = true)时,服务器返回401回复WWW-Authenticate: Basic,浏览器会回复一个用户名和密码的弹出窗口.
这种行为存在于所有浏览器中,无法更改,但有几种选择.为了避免弹出窗口,我们不能使用基本身份验证,而是使用其他一些机制.
最简单的方法是使用除Authorization标头之外的其他标头(在基本身份验证中使用)来传递凭据.
要配置spring security以在此新标头上查找凭据,请查看17.2.1部分Request-Header Authentication,其中给出了如何配置a RequestHeaderAuthenticationFilter查看给定标头的示例.
这是配置使用名为X-MyCustomHeader传递凭据的标头查找的方式:
<security:http>
<!-- Additional http configuration omitted -->
<security:custom-filter position="PRE_AUTH_FILTER" ref="customAuthFilter" />
</security:http>
<bean id="customAuthFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="X-MyCustomHeader"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="preauthAuthProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
</property>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
通常,对于前端应用程序,最好不要使用基本身份验证,因为浏览器会缓存那些使这样的应用程序容易受到请求伪造(CSRF)攻击的凭据.
| 归档时间: |
|
| 查看次数: |
2514 次 |
| 最近记录: |