为不同的api端点提供多种身份验证方法 [英] Spring multiple authentication methods for different api endpoints
问题描述
我想为不同的端点检查不同的身份验证方法.我要使用的方法是x509和jwt.我需要将仅 x509用于某些端点,并将JWT用于所有其他请求.
I want to check for different authentication methods for different endpoints. Methods i want to use are x509 and jwt. I need to use only x509 for certain endpoint and use JWT for all other requests.
这是我的网络安全配置:
Here's my web security configuration:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Configuration
@Order(1)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/transaction/testf").authenticated().and()
.x509()
.subjectPrincipalRegex("CN=(.*?)(?:,|$)")
.userDetailsService(new X509UserDetailsService())
;
}
}
@Configuration
@Order(2)
public static class ApiTokenSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/oauth/token", "/api/dealer/login").permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
;
}
}
}
此配置仅检查/api/transaction/testf 端点是否具有x509证书,并允许所有其他端点进行响应.我需要其他端点返回没有jwt令牌的503.
This configuration only checks /api/transaction/testf endpoint for x509 certificate and allows all other endpoints to respond. I need other endpoints to return 503 without a jwt token.
推荐答案
您有两个过滤器链.它们都没有正确配置http.antMatcher的入口点模式.这意味着它们被配置为使用/**作为其入口点模式.
You have two filter chains. Neither of them have an entry point pattern properly configured http.antMatcher. That means they are configured to use /** as their entry point pattern.
例如
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().fullyAuthenticated()
与说同一句话:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/**")
.authorizeRequests()
.anyRequest().fullyAuthenticated()
我们在这里说的是
-
http-安全筛选器链 -
http.antMatcher-安全筛选器链的入口点 -
http.authorizeRequests-我的端点访问限制开始 -
http.authorizeRequests.antMatchers-具有特定访问权限的URL列表
http- the security filter chainhttp.antMatcher- the entry point to the security filter chainhttp.authorizeRequests- start of my endpoint access restrictionshttp.authorizeRequests.antMatchers- list of URLs with specific access
因此,您需要做的是更改您的@Order(1)过滤器链以缩小模式.例如:http.antMatcher("/api/transaction/**")
So what you need to do is change your @Order(1) filter chain to narrow down the pattern. For example: http.antMatcher("/api/transaction/**")
您的配置现在看起来像
@Configuration
@Order(1)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/transaction/**") //customized entry point
.authorizeRequests()
.antMatchers("/api/transaction/testf").authenticated().and()
.x509()
.subjectPrincipalRegex("CN=(.*?)(?:,|$)")
.userDetailsService(new X509UserDetailsService())
;
}
}
@Configuration
@Order(2)
public static class ApiTokenSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/**") //this is default
.authorizeRequests()
.antMatchers("/oauth/token", "/api/dealer/login").permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
;
}
使用现有配置,名为ApiWebSecurityConfig的筛选器链将捕获所有呼叫.另一个过滤器链ApiTokenSecurityConfig从未使用.
With your existing configuration the filter chain named ApiWebSecurityConfig will trap all calls. The other filter chain, ApiTokenSecurityConfig, is never used.
您可以在此 SpringSecurity:Make仅通过单个端点即可实现RESTful API基本身份验证
这篇关于为不同的api端点提供多种身份验证方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
