带有会话+ CSRF&的Spring Boot网络应用没有CSRF的无状态基本身份验证 [英] Spring Boot web app w/ both session + CSRF & stateless Basic Auth w/o CSRF

问题描述

我正在尝试建立一个基于Spring Boot的Web服务器，该服务器同时支持基于会话的安全UI，包括CSRF保护和通过基本身份验证进行身份验证且不需要CSRF的无状态访问.我尝试支持的两个用例是一个标准的AngularJS UI和一个对每个请求进行身份验证的简单REST api.

I'm trying to stand up a Spring Boot based web server that supports both a secured session-based UI, including CSRF protection and stateless access that is authenticated via basic auth and does not require CSRF. The two use cases I'm trying to support are a standard AngularJS UI and a simple REST api that authenticates on every request.

有人知道如何配置吗?我已经看到了很多使用一个或另一个但没有同时使用的示例.

Does anyone know how to configure this? I've seen lots of examples of using one or the other, but not both together.

推荐答案

所以我终于再次回到研究这个问题，结果发现解决方案几乎和我预期的一样简单.解决方案是具有两个WebSecurityConfigurerAdapter类.此处描述如下:

So I finally got back to looking into this question again and it turns out the solution is nearly as simple as I expected. The solution is to have two WebSecurityConfigurerAdapter classes. This is described here:

http://docs .spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity

执行此操作时要注意的两件事是

Two things to be aware of when doing this are:

1. WebSecurityConfigurerAdapter类必须具有不同的@Order值.因此，我用@Order(1)注释了其中一个，在处理HTTP请求时强制首先对其进行评估.在我的情况下，哪一个首先并不重要，它们必须有所不同.
2. 这两个HttpSecurity配置需要应用于不同的URL.通过对每个值使用antMatcher()值来完成此操作.假设提供给@RequestMapping的值可以是一个URL数组，仍然有可能只有一个REST控制器方法来处理对这两个URL的请求.

1. The WebSecurityConfigurerAdapter classes must have different @Order value. So I annotated one of them with @Order(1), forcing that one to be evaluated first when processing HTTP requests. In my case it doesn't really matter which one is first, they just have to be different.
2. The two HttpSecurity configurations need to apply to different URLs. This is done by using antMatcher() values for each one. Given that the value provided to @RequestMapping can be an array of URLs, it's still possible to have just a single REST controller method handling requests to both URLs.

所以它们在这里:

@Configuration
@EnableWebSecurity
@Order(1)
public class APISecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    @Order(1)
    protected void configure(HttpSecurity http) throws Exception {

        http.antMatcher("/api/**")
                .authorizeRequests()
                .anyRequest().fullyAuthenticated().and()
                .httpBasic().and()
                .csrf().disable();
    }
}

还有

@Configuration
@EnableWebSecurity
public class UISecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()
                .antMatchers("/ui/**").authenticated();
    }
}

这篇关于带有会话+ CSRF&的Spring Boot网络应用没有CSRF的无状态基本身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！