Spring Security:多个 HTTP 配置不起作用 [英] Spring Security : Multiple HTTP Config not working
问题描述
我正在尝试使用 Spring Security,我有一个用例,我希望保护不同的登录页面和不同的 URL 集.
这是我的配置:
@Configuration@订单(1)公共静态类 ProviderSecurity 扩展了 WebSecurityConfigurerAdapter{@覆盖protected void configure(HttpSecurity http) 抛出异常 {http.authorizeRequests().antMatchers("/", "/home").permitAll().antMatchers("/admin/login").permitAll().antMatchers("/admin/**").access("hasRole('BASE_USER')").和().formLogin().loginPage("/admin/login").permitAll().defaultSuccessUrl("/admin/home").failureUrl("/admin/login?error=true").permitAll().usernameParameter("用户名").passwordParameter("密码").和().csrf().和().exceptionHandling().accessDeniedPage("/Access_Denied");}}@配置@订单(2)公共静态类 ConsumerSecurity 扩展了 WebSecurityConfigurerAdapter {@覆盖protected void configure(HttpSecurity http) 抛出异常 {http.authorizeRequests().antMatchers("/consumer/login").permitAll().antMatchers("/consumer/**").access("hasRole('BASE_USER')").anyRequest().authenticated().和().formLogin().loginPage("/consumer/login").permitAll().defaultSuccessUrl("/consumer/home").failureUrl("/consumer/login?error=true").permitAll().usernameParameter("用户名").passwordParameter("密码").and().csrf().和().exceptionHandling().accessDeniedPage("/Access_Denied");}}
这些类是另一个具有注释@EnableWebSecurity
的类MultipleHttpSecurityConfig
的内部类.
admin/**
的安全性工作正常,但没有一个 consumer/**
页面是安全的,登录页面没有发生重定向.我已经搜索了其他答案,但都没有奏效.
@EnableWebSecurity公共类 MultiHttpSecurityConfig {@自动连线公共无效配置全局(AuthenticationManagerBuilder auth){1授权.inMemoryAuthentication().withUser("user").password("password").roles("USER").and().withUser("admin").password("password").roles("USER", "ADMIN");}@配置@订单(1) 2公共静态类 ApiWebSecurityConfigurationAdapter 扩展了 WebSecurityConfigurerAdapter {protected void configure(HttpSecurity http) 抛出异常 {http.antMatcher("/api/**") 3.authorizeRequests().anyRequest().hasRole(管理员").和().httpBasic();}}@配置4公共静态类 FormLoginWebSecurityConfigurerAdapter 扩展 WebSecurityConfigurerAdapter {@覆盖protected void configure(HttpSecurity http) 抛出异常 {http.authorizeRequests().anyRequest().authenticated().和().formLogin();}}}
1 正常配置身份验证
2 创建一个包含 @Order
的 WebSecurityConfigurerAdapter
实例来指定应该首先考虑哪个 WebSecurityConfigurerAdapter
.
3 http.antMatcher
声明此 HttpSecurity
仅适用于以 /api/
4 创建 WebSecurityConfigurerAdapter
的另一个实例.如果 URL 不以 /api/
开头,则将使用此配置.此配置在 ApiWebSecurityConfigurationAdapter
之后被考虑,因为它在 1
之后有一个 @Order
值(没有 @Order
默认为 last).
未使用您的第二个配置,因为您的第一个配置匹配 /**
(未配置 antMatcher
).并且您的第一个配置仅限制 /admin/**
,默认情况下允许所有其他 URL.
I am trying to use Spring Security and I have a use case where I want different login pages and different set of URLs to be secured.
Here is my configuration:
@Configuration
@Order(1)
public static class ProviderSecurity extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.antMatchers("/admin/login").permitAll()
.antMatchers("/admin/**").access("hasRole('BASE_USER')")
.and()
.formLogin()
.loginPage("/admin/login").permitAll()
.defaultSuccessUrl("/admin/home")
.failureUrl("/admin/login?error=true").permitAll()
.usernameParameter("username")
.passwordParameter("password")
.and()
.csrf()
.and()
.exceptionHandling().accessDeniedPage("/Access_Denied");
}
}
@Configuration
@Order(2)
public static class ConsumerSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/consumer/login").permitAll()
.antMatchers("/consumer/**").access("hasRole('BASE_USER')")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/consumer/login").permitAll()
.defaultSuccessUrl("/consumer/home")
.failureUrl("/consumer/login?error=true").permitAll()
.usernameParameter("username")
.passwordParameter("password")
.and().csrf()
.and()
.exceptionHandling().accessDeniedPage("/Access_Denied");
}
}
These classes are inner classes of another class MultipleHttpSecurityConfig
that has annotation @EnableWebSecurity
.
The security for admin/**
is working fine, but none of the consumer/**
pages are secured, no redirection is happening for login page. I've searched for other answers but none worked.
Look at the Spring Security Reference:
@EnableWebSecurity public class MultiHttpSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { 1 auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); } @Configuration @Order(1) 2 public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") 3 .authorizeRequests() .anyRequest().hasRole("ADMIN") .and() .httpBasic(); } } @Configuration 4 public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin(); } } }
1 Configure Authentication as normal
2 Create an instance of
WebSecurityConfigurerAdapter
that contains@Order
to specify whichWebSecurityConfigurerAdapter
should be considered first.3 The
http.antMatcher
states that thisHttpSecurity
will only be applicable to URLs that start with/api/
4 Create another instance of
WebSecurityConfigurerAdapter
. If the URL does not start with/api/
this configuration will be used. This configuration is considered afterApiWebSecurityConfigurationAdapter
since it has an@Order
value after1
(no@Order
defaults to last).
Your second configuration is not used, because your first configuration matches /**
(no antMatcher
configured). And your first configuration restricts only /admin/**
, all other URLs are permitted by default.
这篇关于Spring Security:多个 HTTP 配置不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!