IT源码网

java之Spring安全吃Angularjs POST请求

lvdongjie 2024年11月24日 程序员 109 0

使用 Spring Security 自定义登录表单时,我从 UI 传递的参数在 HttpServletRequest 中无法访问。

class StatelessLoginFilter extends AbstractAuthenticationProcessingFilter { 
 
    private final TokenAuthenticationService tokenAuthenticationService; 
    private final CustomJDBCDaoImpl userDetailsService; 
 
    protected StatelessLoginFilter(String urlMapping, TokenAuthenticationService tokenAuthenticationService, 
            CustomJDBCDaoImpl userDetailsService, AuthenticationManager authManager) { 
        super(new AntPathRequestMatcher(urlMapping)); 
        this.userDetailsService = userDetailsService; 
        this.tokenAuthenticationService = tokenAuthenticationService; 
        setAuthenticationManager(authManager); 
    } 
 
    @Override 
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) 
            throws AuthenticationException, IOException, ServletException { 
 
                final UsernamePasswordAuthenticationToken loginToken = new UsernamePasswordAuthenticationToken( 
                request.getAttribute("email").toString(), request.getAttribute("password").toString()); 
        return getAuthenticationManager().authenticate(loginToken); 
    } 
 
    @Override 
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, 
            FilterChain chain, Authentication authentication) throws IOException, ServletException { 
 
        final UserDetails authenticatedUser = userDetailsService.loadUserByUsername(authentication.getName()); 
        final UserAuthentication userAuthentication = new UserAuthentication(authenticatedUser); 
 
        tokenAuthenticationService.addAuthentication(response, userAuthentication); 
        SecurityContextHolder.getContext().setAuthentication(userAuthentication); 
    } 
} 

在 AttemptAuthentication 方法中,请求未采用我使用以下代码从 POST 请求传递的属性:

 var request = $http.post('/verifyUser',  
       {email: 'user', password: 'user',_csrf: $cookies['XSRF-TOKEN']}) 

我尝试使用调试器控制台跟踪它,发现有效负载填充了我转发的元素。

{"email":"user","password":"user","_csrf":"f1d88246-28a0-4e64-a988-def4cafa5004"}

我的安全配置是:

http 
                .exceptionHandling().and() 
                .anonymous().and() 
                .servletApi().and() 
                .headers().cacheControl().and() 
                .authorizeRequests() 
 
                //allow anonymous resource requests 
                .antMatchers("/").permitAll()                
                //allow anonymous POSTs to login 
                .antMatchers(HttpMethod.POST, "/verifyUser").permitAll() 
                .and() 
                  .formLogin().loginPage("/signin") 
                .permitAll() 
                .and() 
 
                .addFilterBefore(new StatelessLoginFilter("/verifyUser", new TokenAuthenticationService("456abc"), new CustomJDBCDaoImpl() , authenticationManager()), UsernamePasswordAuthenticationFilter.class) 
 
 
                .addFilterBefore(new StatelessAuthenticationFilter(new TokenAuthenticationService("456abc")), UsernamePasswordAuthenticationFilter.class).httpBasic() 
                         .and().csrf().disable().addFilterBefore(new CSRFFilter(), CsrfFilter.class); 

编辑#1

我还尝试使用 getParameter("email") 而不是 getAttribute("email"),但是此时整个参数映射也为空。

编辑#2:添加请求内容

Remote Address:127.0.0.1:80 
Request URL:http://localhost/api/verifyUser/ 
Request Method:POST 
Status Code:502 Bad Gateway 
Response Headers 
view source 
Connection:keep-alive 
Content-Length:583 
Content-Type:text/html 
Date:Sun, 11 Oct 2015 17:23:24 GMT 
Server:nginx/1.6.2 (Ubuntu) 
Request Headers 
view source 
Accept:application/json, text/plain, */* 
Accept-Encoding:gzip, deflate 
Accept-Language:en-US,en;q=0.8 
Connection:keep-alive 
Content-Length:81 
Content-Type:application/x-www-form-urlencoded 
Cookie:XSRF-TOKEN=f1d88246-28a0-4e64-a988-def4cafa5004 
Host:localhost 
Origin:http://localhost 
Referer:http://localhost/ui/ 
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 
X-XSRF-TOKEN:f1d88246-28a0-4e64-a988-def4cafa5004 
Form Data 
view source 
view URL encoded 
{"email":"user","password":"user"}: 

请您参考如下方法:

您想要的电子邮件密码数据是参数,而不是属性。 ServletRequest 中的属性只是服务器端数据,您可以在应用程序中使用它们在类之间或 JSP 之间传递数据。

注意:您必须使用内容类型 application/x-www-form-urlencoded 并确保请求正文以正确的格式编码才能在服务器端使用 getParameter,例如电子邮件=用户&密码=用户

默认情况下,Angular 会将对象编码为 JSON

Transforming Requests and Responses

Angular provides the following default transformations:

Request transformations ($httpProvider.defaults.transformRequest and $http.defaults.transformRequest):

If the data property of the request configuration object contains an object, serialize it into JSON format.

另请参阅How do I POST urlencoded form data with $http in AngularJS?

Difference between getAttribute() and getParameter()


评论关闭
IT源码网

微信公众号号:IT虾米 (左侧二维码扫一扫)欢迎添加!