Spring Boot和Spring Security多个登录页面 [英] Spring boot and spring security multiple login pages

问题描述

@EnableWebSecurity
public class MultiHttpSecurityConfig {

@Configuration
@Order(1)
public static class App1ConfigurationAdapter extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
        .antMatchers("/my/**", "/account/**").access("hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')")
        .and().formLogin().loginPage("/login");
    }
}

@Configuration
@Order(2)
public static class App2ConfigurationAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
        .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
        .and().formLogin().loginPage("/adminlogin");
    }
}
}

这应该是两种不同的登录形式.我的问题是/adminlogin的顺序最高的那个不显示.我知道为什么吗?请帮忙.该代码来自春季启动-如何配置多个登录页面?

This is supposed be two different login forms. My problem is that the one with the highest order /adminlogin is not displayed. I have idea why? Please help. The code is from Spring boot - how to configure multiple login pages?

按照索非亚的建议，我尝试了以下方法:

Following Sofia's suggestion I tried this:

@Configuration
@Order(2)
public static class UserConfigurationAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .requestMatcher(new AntPathRequestMatcher("/my/**"))
        .csrf().disable()      
        .authorizeRequests().antMatchers("/my/**").access("hasRole('ROLE_USER')")
        .and().formLogin().loginPage("/login");
    }
}

@Configuration
@Order(1)
public static class AdminConfigurationAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .requestMatcher(new AntPathRequestMatcher("/admin/**"))
        .csrf().disable()      
        .authorizeRequests().antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
        .and().formLogin().loginPage("/adminlogin");
    }
}

但是在两种情况下，/login都被称为

But in both cases /login is called

推荐答案

我认为您的管理员登录未激活的原因是:首先，它的优先级并不高.

I reckon that the reason why your admin login is not activating is because: first, it is NOT higher in priority.

@Order定义带注释的组件的排序顺序. 该值是可选的，代表Ordered接口中定义的订单值. 较低的值具有较高的优先级.默认值为Ordered.LOWEST_PRECEDENCE，指示最低优先级(输给任何其他指定的订单值).

@Order defines the sort order for an annotated component. The value is optional and represents an order value as defined in the Ordered interface. Lower values have higher priority. The default value is Ordered.LOWEST_PRECEDENCE, indicating lowest priority (losing to any other specified order value).

其次，根据HttpSecurity的Javadoc:

Second, according to HttpSecurity's Javadoc:

HttpSecurity与名称空间配置中的Spring Security的XML元素相似.它允许为特定的http请求配置基于Web的安全性.默认情况下，它将应用于所有请求，但可以使用requestMatcher(RequestMatcher)或其他类似方法进行限制.

A HttpSecurity is similar to Spring Security's XML element in the namespace configuration. It allows configuring web based security for specific http requests. By default it will be applied to all requests, but can be restricted using requestMatcher(RequestMatcher) or other similar methods.

因此，首先配置requestMatcher，以尝试限制HttpSecurity对象为您的管理页面激活:

So try restricting the HttpSecurity object to activate for your admin pages by first configuring the requestMatcher such that:

    http
      .requestMatcher(new AntPathRequestMatcher("/admin/**"))
      .csrf().disable()      
      .authorizeRequests().antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
      .and().formLogin().loginPage("/adminlogin");

这篇关于Spring Boot和Spring Security多个登录页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！