Spring Security:多个 HTTP 配置不起作用 [英] Spring Security : Multiple HTTP Config not working
问题描述
我正在尝试使用 Spring Security,我有一个用例,我希望保护不同的登录页面和不同的 URL 集.
这是我的配置:
@Configuration@订单(1)公共静态类 ProviderSecurity 扩展了 WebSecurityConfigurerAdapter{@覆盖protected void configure(HttpSecurity http) 抛出异常 {http.authorizeRequests().antMatchers("/", "/home").permitAll().antMatchers("/admin/login").permitAll().antMatchers("/admin/**").access("hasRole('BASE_USER')").和().formLogin().loginPage("/admin/login").permitAll().defaultSuccessUrl("/admin/home").failureUrl("/admin/login?error=true").permitAll().usernameParameter("用户名").passwordParameter("密码").和().csrf().和().exceptionHandling().accessDeniedPage("/Access_Denied");}}@配置@订单(2)公共静态类 ConsumerSecurity 扩展了 WebSecurityConfigurerAdapter {@覆盖protected void configure(HttpSecurity http) 抛出异常 {http.authorizeRequests().antMatchers("/consumer/login").permitAll().antMatchers("/consumer/**").access("hasRole('BASE_USER')").anyRequest().authenticated().和().formLogin().loginPage("/consumer/login").permitAll().defaultSuccessUrl("/consumer/home").failureUrl("/consumer/login?error=true").permitAll().usernameParameter("用户名").passwordParameter("密码").and().csrf().和().exceptionHandling().accessDeniedPage("/Access_Denied");}}这些类是另一个具有注释@EnableWebSecurity的类MultipleHttpSecurityConfig的内部类.
admin/** 的安全性工作正常,但没有一个 consumer/** 页面是安全的,登录页面没有发生重定向.我已经搜索了其他答案,但都没有奏效.
@EnableWebSecurity公共类 MultiHttpSecurityConfig {@自动连线公共无效配置全局(AuthenticationManagerBuilder auth){1授权.inMemoryAuthentication().withUser("user").password("password").roles("USER").and().withUser("admin").password("password").roles("USER", "ADMIN");}@配置@订单(1) 2公共静态类 ApiWebSecurityConfigurationAdapter 扩展了 WebSecurityConfigurerAdapter {protected void configure(HttpSecurity http) 抛出异常 {http.antMatcher("/api/**") 3.authorizeRequests().anyRequest().hasRole(管理员").和().httpBasic();}}@配置4公共静态类 FormLoginWebSecurityConfigurerAdapter 扩展 WebSecurityConfigurerAdapter {@覆盖protected void configure(HttpSecurity http) 抛出异常 {http.authorizeRequests().anyRequest().authenticated().和().formLogin();}}}1 正常配置身份验证
2 创建一个包含 @Order 的 WebSecurityConfigurerAdapter 实例来指定应该首先考虑哪个 WebSecurityConfigurerAdapter.
3 http.antMatcher 声明此 HttpSecurity 仅适用于以 /api/
4 创建 WebSecurityConfigurerAdapter 的另一个实例.如果 URL 不以 /api/ 开头,则将使用此配置.此配置在 ApiWebSecurityConfigurationAdapter 之后被考虑,因为它在 1 之后有一个 @Order 值(没有 @Order 默认为 last).
未使用您的第二个配置,因为您的第一个配置匹配 /**(未配置 antMatcher).并且您的第一个配置仅限制 /admin/**,默认情况下允许所有其他 URL.
I am trying to use Spring Security and I have a use case where I want different login pages and different set of URLs to be secured.
Here is my configuration:
@Configuration
@Order(1)
public static class ProviderSecurity extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.antMatchers("/admin/login").permitAll()
.antMatchers("/admin/**").access("hasRole('BASE_USER')")
.and()
.formLogin()
.loginPage("/admin/login").permitAll()
.defaultSuccessUrl("/admin/home")
.failureUrl("/admin/login?error=true").permitAll()
.usernameParameter("username")
.passwordParameter("password")
.and()
.csrf()
.and()
.exceptionHandling().accessDeniedPage("/Access_Denied");
}
}
@Configuration
@Order(2)
public static class ConsumerSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/consumer/login").permitAll()
.antMatchers("/consumer/**").access("hasRole('BASE_USER')")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/consumer/login").permitAll()
.defaultSuccessUrl("/consumer/home")
.failureUrl("/consumer/login?error=true").permitAll()
.usernameParameter("username")
.passwordParameter("password")
.and().csrf()
.and()
.exceptionHandling().accessDeniedPage("/Access_Denied");
}
}
These classes are inner classes of another class MultipleHttpSecurityConfig that has annotation @EnableWebSecurity.
The security for admin/** is working fine, but none of the consumer/** pages are secured, no redirection is happening for login page. I've searched for other answers but none worked.
Look at the Spring Security Reference:
@EnableWebSecurity public class MultiHttpSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { 1 auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); } @Configuration @Order(1) 2 public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") 3 .authorizeRequests() .anyRequest().hasRole("ADMIN") .and() .httpBasic(); } } @Configuration 4 public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin(); } } }1 Configure Authentication as normal
2 Create an instance of
WebSecurityConfigurerAdapterthat contains@Orderto specify whichWebSecurityConfigurerAdaptershould be considered first.3 The
http.antMatcherstates that thisHttpSecuritywill only be applicable to URLs that start with/api/4 Create another instance of
WebSecurityConfigurerAdapter. If the URL does not start with/api/this configuration will be used. This configuration is considered afterApiWebSecurityConfigurationAdaptersince it has an@Ordervalue after1(no@Orderdefaults to last).
Your second configuration is not used, because your first configuration matches /** (no antMatcher configured). And your first configuration restricts only /admin/**, all other URLs are permitted by default.
这篇关于Spring Security:多个 HTTP 配置不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
