本文介绍如何使用 Spring Security 插件为 Grails 应用中的 REST API 配置基本认证(Basic Auth),包括配置文件的具体设置、排除不需要认证的路径以及通过单元测试验证认证过程。
Grails(16)Secure the REST API-Basic Auth
Here are my configuration in Config.groovy
// Added by the Spring Security Core plugin:
grails.plugins.springsecurity.userLookup.userDomainClassName = 'com.sillycat.project.security.BrandUser'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'com.sillycat.project.security.BrandUserSecurityRole'
grails.plugins.springsecurity.authority.className = 'com.sillycat.project.security.SecurityRole'
grails.plugins.springsecurity.userLookup.usernamePropertyName = 'email'
//Enable Basic Auth Filter
grails.plugins.springsecurity.useBasicAuth = true
grails.plugins.springsecurity.basic.realmName = "sillycat"
//Exclude normal controllers from basic auth filter. Just the JSON API is included
grails.plugins.springsecurity.filterChain.chainMap = [
'/location/**': 'JOINED_FILTERS,-exceptionTranslationFilter',
'/**': 'JOINED_FILTERS,-basicAuthenticationFilter,-basicExceptionTranslationFilter'
]
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugins.springsecurity.interceptUrlMap = [
'/css/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/common.css': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/favicon.ico': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/images/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/js/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/login/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/logout/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/register/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/error/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
//'/location/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/**': ['IS_AUTHENTICATED_REMEMBERED']
]
Here I have 2 kind of configurations now, 1 is for page secure, the other is basic auth, it is for the api part.
Beside the Controller REST API action, there is a annotation
@Secured(["ROLE_USER"])
My test case will be like this to send the basic auth from the header
@Test
publicvoid testGetSuccessswithServer(){
def client = new RESTClient("http://localhost:8080")
client.auth.basic 'username', 'password'
defresponse = client.get(path: "location/1")
System.out.println(response.status)
System.out.println(response.data)
}
Or I can use POSTMAN to verify my API. There is a tab menu named Basic Auth, just put the user name and password.
The basic authority can work alone, but they can not work together.
References:
http://grails-plugins.github.com/grails-spring-security-core/docs/manual/
http://dead-knight.iteye.com/blog/1520080
Here are my configuration in Config.groovy
// Added by the Spring Security Core plugin:
grails.plugins.springsecurity.userLookup.userDomainClassName = 'com.sillycat.project.security.BrandUser'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'com.sillycat.project.security.BrandUserSecurityRole'
grails.plugins.springsecurity.authority.className = 'com.sillycat.project.security.SecurityRole'
grails.plugins.springsecurity.userLookup.usernamePropertyName = 'email'
//Enable Basic Auth Filter
grails.plugins.springsecurity.useBasicAuth = true
grails.plugins.springsecurity.basic.realmName = "sillycat"
//Exclude normal controllers from basic auth filter. Just the JSON API is included
grails.plugins.springsecurity.filterChain.chainMap = [
'/location/**': 'JOINED_FILTERS,-exceptionTranslationFilter',
'/**': 'JOINED_FILTERS,-basicAuthenticationFilter,-basicExceptionTranslationFilter'
]
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugins.springsecurity.interceptUrlMap = [
'/css/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/common.css': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/favicon.ico': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/images/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/js/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/login/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/logout/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/register/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/error/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
//'/location/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/**': ['IS_AUTHENTICATED_REMEMBERED']
]
Here I have 2 kind of configurations now, 1 is for page secure, the other is basic auth, it is for the api part.
Beside the Controller REST API action, there is a annotation
@Secured(["ROLE_USER"])
My test case will be like this to send the basic auth from the header
@Test
publicvoid testGetSuccessswithServer(){
def client = new RESTClient("http://localhost:8080")
client.auth.basic 'username', 'password'
defresponse = client.get(path: "location/1")
System.out.println(response.status)
System.out.println(response.data)
}
Or I can use POSTMAN to verify my API. There is a tab menu named Basic Auth, just put the user name and password.
The basic authority can work alone, but they can not work together.
References:
http://grails-plugins.github.com/grails-spring-security-core/docs/manual/
http://dead-knight.iteye.com/blog/1520080
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
