如何为RESTful端点禁用基于spring form的登录? [英] How can I disable spring form based login for RESTful endpoints?
问题描述
我根据 auto-config ='true'
使用基本和基于表单的身份验证配置了spring-security。
I have spring-security configured using basic and form based authentication as per auto-config='true'
.
我希望 / api / **
下的端点不使用基于表单的安全性。 / api / **
之外的其他端点应使用基于表单的登录。我想要一个 401
响应发送给这些端点,这些端点没有在 / api / **
下提供凭证。
I would like the endpoints under /api/**
to NOT use form based security. Other endpoints outside of /api/**
should use form based login. I would like a 401
response sent to any call for these endpoints who did not provide credentials under /api/**
.
更新:感谢Luke Taylor在下面的评论,我提出了以下解决方案。
UPDATE: Thanks to Luke Taylor's comment below I have come up with the following solution.
注意:此技术只能在spring-security 3.1中使用。
NOTE: This technique can only be applied as of spring-security 3.1.
首先我单挑 / API / **
。我们从不创建会话虽然使用了一个会议,如果可用,这由 create-session =never
和< session-management的使用来处理/>
。
First I single out /api/**
. We never create a session though use one if available, this is handled by create-session="never"
and the use of <session-management/>
.
<http pattern="/api/**" create-session="never" use-expressions="true">
<http-basic />
<session-management />
<intercept-url pattern="/api/**" access="hasRole('API_ACCESS')"/>
</http>
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll"/>
<intercept-url pattern="/**" access="isAuthenticated()"/>
</http>
推荐答案
使用Spring Security 3.1,您最好的选择是拆分通过使用两个单独的< http>
元素,将应用程序的宁静和非宁静部分放入单独的过滤器链中。然后可以将restful API链配置为无状态并使用基本身份验证,而默认链可以使用正常的表单登录配置。
With Spring Security 3.1, your best option is to split the restful and non-restful parts of your application into separate filter chains by using two separate <http>
elements. The restful API chain can then be configured to be stateless and use basic authentication, while the default chain can use a normal form-login configuration.
然后你会有类似的东西:
You would then have something like:
<http pattern="/api/**" create-session="stateless">
<intercept-url pattern="/api/**" access="ROLE_API_USER" />
<http-basic />
</http>
<!-- No pattern attribute, so defaults to matching any request -->
<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login />
</http>
链定义必须从最具体的模式排序到最一般,因此默认链是最后一个。
The chain definitions must be ordered from most specific pattern to most general, so the default chain comes last.
这篇关于如何为RESTful端点禁用基于spring form的登录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!