带有会话+ CSRF&的Spring Boot网络应用没有CSRF的无状态基本身份验证 [英] Spring Boot web app w/ both session + CSRF & stateless Basic Auth w/o CSRF
问题描述
我正在尝试建立一个基于Spring Boot的Web服务器,该服务器同时支持基于会话的安全UI,包括CSRF保护和通过基本身份验证进行身份验证且不需要CSRF的无状态访问.我尝试支持的两个用例是一个标准的AngularJS UI和一个对每个请求进行身份验证的简单REST api.
I'm trying to stand up a Spring Boot based web server that supports both a secured session-based UI, including CSRF protection and stateless access that is authenticated via basic auth and does not require CSRF. The two use cases I'm trying to support are a standard AngularJS UI and a simple REST api that authenticates on every request.
有人知道如何配置吗?我已经看到了很多使用一个或另一个但没有同时使用的示例.
Does anyone know how to configure this? I've seen lots of examples of using one or the other, but not both together.
推荐答案
所以我终于再次回到研究这个问题,结果发现解决方案几乎和我预期的一样简单.解决方案是具有两个WebSecurityConfigurerAdapter
类.此处描述如下:
So I finally got back to looking into this question again and it turns out the solution is nearly as simple as I expected. The solution is to have two WebSecurityConfigurerAdapter
classes. This is described here:
http://docs .spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity
执行此操作时要注意的两件事是
Two things to be aware of when doing this are:
-
WebSecurityConfigurerAdapter
类必须具有不同的@Order
值.因此,我用@Order(1)
注释了其中一个,在处理HTTP请求时强制首先对其进行评估.在我的情况下,哪一个首先并不重要,它们必须有所不同. - 这两个
HttpSecurity
配置需要应用于不同的URL.通过对每个值使用antMatcher()
值来完成此操作.假设提供给@RequestMapping
的值可以是一个URL数组,仍然有可能只有一个REST控制器方法来处理对这两个URL的请求.
- The
WebSecurityConfigurerAdapter
classes must have different@Order
value. So I annotated one of them with@Order(1)
, forcing that one to be evaluated first when processing HTTP requests. In my case it doesn't really matter which one is first, they just have to be different. - The two
HttpSecurity
configurations need to apply to different URLs. This is done by usingantMatcher()
values for each one. Given that the value provided to@RequestMapping
can be an array of URLs, it's still possible to have just a single REST controller method handling requests to both URLs.
所以它们在这里:
@Configuration
@EnableWebSecurity
@Order(1)
public class APISecurityConfig extends WebSecurityConfigurerAdapter {
@Override
@Order(1)
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**")
.authorizeRequests()
.anyRequest().fullyAuthenticated().and()
.httpBasic().and()
.csrf().disable();
}
}
还有
@Configuration
@EnableWebSecurity
public class UISecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/ui/**").authenticated();
}
}
这篇关于带有会话+ CSRF&的Spring Boot网络应用没有CSRF的无状态基本身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!