Spring Security:多个HTTP配置不起作用 [英] Spring Security : Multiple HTTP Config not working
问题描述
我正在尝试使用Spring Security,我有一个用例,我想要保护不同的登录页面和不同的URL集。
这是我的配置:
@Configuration
@Order(1)
公共静态类ProviderSecurity扩展WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http)抛出异常{
http
.authorizeRequests()
.antMatchers(/,/ home)。permitAll()
.antMatchers(/ admin / login)。permitAll()
.antMatchers(/ admin / **)。access(hasRole('BASE_USER'))
。和()
.formLogin()
.loginPage(/ admin / login)。permitAll()
.defaultSuccessUrl(/ admin / home)
.failureUrl( / admin / login?error = true)。permitAll()
.usernameParameter(username)
.passwordParam eter(password)
.and()
.csrf()
.and()
.exceptionHandling()。accessDeniedPage(/ Access_Denied);
}
}
@Configuration
@Order(2)
公共静态类ConsumerSecurity扩展WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http)抛出异常{
http
.authorizeRequests()
.antMatchers(/ consumer / login)。permitAll()
.antMatchers(/ consumer / **)。access(hasRole('BASE_USER'))
.anyRequest()。authenticated()
.and()
.formLogin()
.loginPage(/ consumer / login)。permitAll()
.defaultSuccessUrl(/ consumer / home)
.failureUrl(/ consumer / login?error = true)。permitAll()
.usernameParameter(username)
.passwordParameter(password)
.and()。csrf()
.and()
.exceptionHandling()。accessDeniedPage(/ Access _Denied);
}
}
这些类是另一个类的内部类 MultipleHttpSecurityConfig
,其注释 @EnableWebSecurity
。
<$的安全性c $ c> admin / ** 工作正常,但没有 consumer / **
页面受到保护,登录时没有重定向页。我已经搜索了其他答案但没有找到答案。
查看 Spring Security Reference :
@EnableWebSecurity
public class MultiHttpSecurityConfig {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth){1
auth
.inMemoryAuthentication()
.withUser(user)。password(password)。roles(USER)。和()
.withUser(admin ).password(password)。roles(USER,ADMIN);
}
@Configuration
@Order(1)2
公共静态类ApiWebSecurityConfigurationAdapter扩展WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http)throws Exception {
http
.antMatcher(/ api / **)3
.authorizeRequests()
.anyRequest()。hasRole(ADMIN)
.and ()
.httpBasic();
}
}
@Configuration 4
公共静态类FormLoginWebSecurityConfigurerAdapter扩展WebSecurityConfigurerAdapter {
@Override
protected void configure( HttpSecurity http)抛出异常{
http
.authorizeRequests()
.anyRequest()。authenticated()
.and()
.formLogin();
}
}
}
1将身份验证配置为正常
2创建
WebSecurityConfigurerAdapter
的实例,其中包含@Order
指定应首先考虑哪个WebSecurityConfigurerAdapter
。
3
http.antMatcher
声明此HttpSecurity
仅适用于以/ api /
4创建另一个
WebSecurityConfigurerAdapter
的实例。如果URL不以/ api /
开头,则将使用此配置。在ApiWebSecurityConfigurationAdapter
之后考虑此配置,因为它在1 $之后具有
@Order
值c $ c>(没有@Order
默认持续)。
您的不使用第二个配置,因为您的第一个配置匹配 / **
。并且您的第一个配置仅限制 / admin / **
,默认情况下允许所有其他URL。
I am trying to use Spring Security and I have a use case where I want different login pages and different set of URLs to be secured.
Here is my configuration:
@Configuration
@Order(1)
public static class ProviderSecurity extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.antMatchers("/admin/login").permitAll()
.antMatchers("/admin/**").access("hasRole('BASE_USER')")
.and()
.formLogin()
.loginPage("/admin/login").permitAll()
.defaultSuccessUrl("/admin/home")
.failureUrl("/admin/login?error=true").permitAll()
.usernameParameter("username")
.passwordParameter("password")
.and()
.csrf()
.and()
.exceptionHandling().accessDeniedPage("/Access_Denied");
}
}
@Configuration
@Order(2)
public static class ConsumerSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/consumer/login").permitAll()
.antMatchers("/consumer/**").access("hasRole('BASE_USER')")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/consumer/login").permitAll()
.defaultSuccessUrl("/consumer/home")
.failureUrl("/consumer/login?error=true").permitAll()
.usernameParameter("username")
.passwordParameter("password")
.and().csrf()
.and()
.exceptionHandling().accessDeniedPage("/Access_Denied");
}
}
These classes are inner classes of another class MultipleHttpSecurityConfig
that has annotation @EnableWebSecurity
.
The security for admin/**
is working fine, but none of the consumer/**
pages are secured, no redirection is happening for login page. I've searched for other answers but none worked.
Look at the Spring Security Reference:
@EnableWebSecurity public class MultiHttpSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { 1 auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); } @Configuration @Order(1) 2 public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") 3 .authorizeRequests() .anyRequest().hasRole("ADMIN") .and() .httpBasic(); } } @Configuration 4 public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin(); } } }
1 Configure Authentication as normal
2 Create an instance of
WebSecurityConfigurerAdapter
that contains@Order
to specify whichWebSecurityConfigurerAdapter
should be considered first.3 The
http.antMatcher
states that thisHttpSecurity
will only be applicable to URLs that start with/api/
4 Create another instance of
WebSecurityConfigurerAdapter
. If the URL does not start with/api/
this configuration will be used. This configuration is considered afterApiWebSecurityConfigurationAdapter
since it has an@Order
value after1
(no@Order
defaults to last).
Your second configuration is not used, because your first configuration matches /**
. And your first configuration restricts only /admin/**
, all other URLs are permitted by default.
这篇关于Spring Security:多个HTTP配置不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!