Spring boot + Spring Security:如何压制基本的auth表单

Question

美好的一天.

我在Spring启动自动配置应用程序的上下文中使用Spring安全性.我的目标是设置基本身份验证,以便标准浏览器的基本身份验证表单不会显示在401上.从Google我发现要实现它,我需要将默认的"WWW-Authenticate"标题更改为不同于"基本xxxxx".

为此,我宣布了一个过滤器:

@Bean
@Order(Integer.MAX_VALUE)
public Filter customAuthFilter() {
    return new Filter() {

        @Override
        public void init(FilterConfig fc) throws ServletException {
        }

        @Override
        public void doFilter(ServletRequest sreq, ServletResponse sresp, FilterChain fc) throws IOException, ServletException {
            HttpServletRequest req = (HttpServletRequest) sreq;
            HttpServletResponse resp = (HttpServletResponse) sresp;

            fc.doFilter(req, resp);
            log.info("filter");
            log.info("status " + resp.getStatus());
            if(resp.getStatus() == 401) {
                resp.setHeader("WWW-Authenticate", "Client-driven");
            }
        }

        @Override
        public void destroy() {
        }
    };

从日志中我看到我的过滤器已成功识别应用程序并参与处理响应(我看到来自doFilter的日志消息).但是,浏览器收到的实际响应仍然包含标准的"WWW-Authenticate"标题.似乎有人凌挑我的标题,我不知道究竟是谁.

有人可以给个建议吗？

Answer 1

使用自定义EntryPoint解决了这个问题:

protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/rest/**").authenticated()
            .and().httpBasic().authenticationEntryPoint(new AuthenticationEntryPoint() {
                @Override
                public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
                    String requestedBy = request.getHeader("X-Requested-By");
                    log.info("X-Requested-By: " + requestedBy);
                    if(requestedBy == null || requestedBy.isEmpty()) {
                        HttpServletResponse httpResponse = (HttpServletResponse) response;
                        httpResponse.addHeader("WWW-Authenticate", "Basic realm=Cascade Realm");
                        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
                    } else {
                        HttpServletResponse httpResponse = (HttpServletResponse) response;
                        httpResponse.addHeader("WWW-Authenticate", "Application driven");
                        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
                    }
                }
            });
}