您应该避免使用默认org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
,因为它从您的请求的参数中获取客户端提供的用户名和密码,您确实需要从头文件中获取它们。
所以,你应该写一个自定义AuthenticationFilter
延伸简称UsernamePasswordAuthenticationFilter
改变其行为,以满足您的要求:
public class HeaderUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
/**
*
*/
public HeaderUsernamePasswordAuthenticationFilter() {
super();
this.setFilterProcessesUrl("/**");
this.setPostOnly(false);
}
/* (non-Javadoc)
* @see org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#obtainPassword(javax.servlet.http.HttpServletRequest)
*/
@Override
protected String obtainPassword(HttpServletRequest request) {
return request.getHeader(this.getPasswordParameter());
}
/* (non-Javadoc)
* @see org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#obtainUsername(javax.servlet.http.HttpServletRequest)
*/
@Override
protected String obtainUsername(HttpServletRequest request) {
return request.getHeader(this.getPasswordParameter());
}
}
这个过滤器例子扩展org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
倾听每一个请求,并从头,而不是parameters
得到username
和password
。
那么你应该更改配置这样,在UsernamePasswordAuthenticationFilter
位置设置你的过滤器:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterAt(
new HeaderUsernamePasswordAuthenticationFilter(),
UsernamePasswordAuthenticationFilter.class)
.authorizeRequests()
.antMatchers("/index.html").permitAll()
.antMatchers("/swagger-ui.html").hasRole("ADMIN")
.anyRequest().authenticated();
}
你的意思是用'Authentication'基本身份验证头? – dur
你的意思是什么HTTP头,头的名称是什么? – dur