春季启动中的多个WebSecurityConfigurerAdapter用于多种模式 [英] Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
问题描述
我正在尝试为我的项目设置多个WebsecurityConfigurerAdapter,其中使用基本身份验证保护弹簧启动执行器API,并使用JWtAuthentication对所有其他端点进行身份验证.我只是无法使其协同工作,只有具有较低顺序的配置才可以工作.我正在使用Spring Boot 2.1.5.RELEASE
I am trying to set up multiple WebsecurityConfigurerAdapter for my project where the spring boot actuator APIs are secured using basic auth and all other endpoints are authenticated using JWtAuthentication. I am just not able to make it work together, only the config with the lower order works. I am using Spring Boot 2.1.5.RELEASE
带有JWT身份验证器的安全配置一
Security Config One with JWT Authenticator
@Order(1)
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private static final String[] AUTH_WHITELIST = {
"/docs/**",
"/csrf/**",
"/webjars/**",
"/**swagger**/**",
"/swagger-resources",
"/swagger-resources/**",
"/v2/api-docs"
};
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(AUTH_WHITELIST).permitAll()
.antMatchers("/abc/**", "/abc/pdf/**").hasAuthority("ABC")
.antMatchers("/ddd/**").hasAuthority("DDD")
.and()
.csrf().disable()
.oauth2ResourceServer().jwt().jwtAuthenticationConverter(new GrantedAuthoritiesExtractor());
}
}
具有用户名/密码的基本Auth配置
The basic Auth config with username/password
@Order(2)
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
/* @Bean
public UserDetailsService userDetailsService(final PasswordEncoder encoder) {
final InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(
User
.withUsername("user1")
.password(encoder.encode("password"))
.roles("ADMIN")
.build()
);
return manager;
}
@Bean PasswordEncoder encoder(){
return new BCryptPasswordEncoder();
}*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/actuator/**").hasRole("ADMIN")
.and()
.httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user1").password("password").authorities("ADMIN");
}
}
我已经尝试使它工作很多天了,但是不能使它们两者一起工作.如果我调换订单,则仅基本身份验证有效,而JWT身份验证管理器无效.
I have been trying to make it work for many days but cannot make both of them work together. If i swap the order, only basic auth works and not the JWT Auth Manager.
我经历了很多SOF问题,例如
I have gone through a lot of SOF Questions, like
[春季启动安全性-多个WebSecurityConfigurerAdapter
[ https://github.com/spring-projects/spring-security/issues/5593] [1]
[ https://www.baeldung.com/spring-security-multiple-entry-points] [1]
似乎没有任何作用,这是Spring中的已知问题吗?
Nothing seems to be working, is this a known issue in Spring?
推荐答案
要使用多个 WebsecurityConfigurerAdapter
,您需要使用
To use multiple WebsecurityConfigurerAdapter
, you need restrict them to specific URL patterns using RequestMatcher
.
在您的情况下,您可以为 ActuatorSecurityConfig
设置更高的优先级,并将其仅限于执行器端点:
In your case you can set a higher priority for ActuatorSecurityConfig
and limit it only to actuator endpoints:
@Order(-1)
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/actuator/**")
.and()
.authorizeRequests().anyRequest().hasRole("ADMIN")
.and()
.httpBasic();
}
}
这篇关于春季启动中的多个WebSecurityConfigurerAdapter用于多种模式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!