春季启动:同时验证无状态REST API和有状态的“登录"身份. Web Controller在同一项目中? [英] Spring Boot: Authenticating both a Stateless REST API and a Stateful "Login" Web Controller in the same project?

查看:128
本文介绍了春季启动:同时验证无状态REST API和有状态的“登录"身份. Web Controller在同一项目中?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

因此,我有一个包含REST API的应用程序,该IETF设备上的自定义Java应用程序使用了REST API,而无需用户交互.此外,我还有一个Web应用程序,该应用程序需要状态会话来维护用户登录.

So I have an application that contains a REST API which is used by a custom java application on an IOT device with no user interaction.And I also have a web app which needs a stateful session for maintaining user login.

是否可以使用Spring Security对我的API和Web控制器的请求进行身份验证?我应该对REST API使用哪种形式的身份验证?

Is it possible to use Spring Security to authenticate requests to my API and web controller differently?What form of authentication should I be using for the REST API?

推荐答案

一种实现所需功能的方法是在spring安全中具有2种配置.例如

One way to achieve what you are looking for is to have 2 configurations in your spring security. E.g.

请注意antMatcher(匹配器而不是匹配器 s ). antMatcher将控制整个配置应用的URL集,即以下示例中的FormLoginWebSecurityConfigurerAdapter仅适用于与URI匹配的/api/test/**.当然,您只能在其中一个配置(即config1)中定义antMatcher,在这种情况下,另一个配置将全部捕获(即,捕获与config1不匹配的所有内容)

Pay attention to antMatcher (matcher not matchers). The antMatcher will control on what set of url your entire config applies i.e. FormLoginWebSecurityConfigurerAdapter in below example will apply only to uri matching /api/test/**. Of course, you can define the antMatcher only in one of the configs say config1 and the other config in that case will be a catch all (i.e catch everything that does not match config1)

@EnableWebSecurity
@Configuration
public class SecurityConfig {


    @Configuration
    @Order(1)                                                        
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Override       
        public void configure(AuthenticationManagerBuilder auth) 
          throws Exception {            
            auth.inMemoryAuthentication().withUser("user").password("user").roles("USER");
            auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN");
        }

        protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

            http
                .antMatcher("/api/v1/**")                               
                .authorizeRequests()
                .antMatchers("/api/v1/**").authenticated()
                    .and()
                .httpBasic();
        }
    }

    @Configuration
    @Order(2)
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Override       
        public void configure(AuthenticationManagerBuilder auth) 
          throws Exception {

            auth.inMemoryAuthentication().withUser("user1").password("user").roles("USER");
            auth.inMemoryAuthentication().withUser("admin1").password("admin").roles("ADMIN");
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED); // CONFIGURE TYPE OF SESSION POLICY
            http
                .antMatcher("/api/test/**")
                .authorizeRequests()
                .antMatchers("/api/test/**").authenticated()
                    .and()
                .formLogin();
        }
    }
}

这篇关于春季启动:同时验证无状态REST API和有状态的“登录"身份. Web Controller在同一项目中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆