用于基本身份验证和表单登录的Spring Security配置 [英] Spring Security configuration for Basic Authentication and Form Login
问题描述
我正在处理的应用程序中的Spring Bean方法有两种调用方式:
通过AngularJS和
Spring MVC控制器(窗体登录)或使用SOAP (基本身份验证)。
A Spring Bean methods in an application I'm working on are being called in two ways:
through AngularJS and
Spring MVC controller(Form login) or by using SOAP(Basic Authentication).
为此,我为CXF servlet设置了以下配置:
To allow this I have setup the following configuration for the CXF servlet:
@Configuration
public class CxfConfiguration {
@Autowired
private ApplicationContext applicationContext;
@Bean
public ServletRegistrationBean dispatcherServletSOAP() {
return new ServletRegistrationBean(new CXFServlet(), "/soap/*");
}
@Bean(name= Bus.DEFAULT_BUS_ID)
public SpringBus springBus() {
return new SpringBus();
}
@Bean
public Endpoint documentEndpoint(){
Bus bus = (Bus) applicationContext.getBean(Bus.DEFAULT_BUS_ID);
DocumentService implementor = new DocumentServiceImpl();
EndpointImpl endpoint = new EndpointImpl(bus, implementor);
endpoint.publish("/document");
return endpoint;
}
和安全配置:
@Configuration
@Order(1)
public static class SOAPSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.httpBasic()
.and()
.antMatcher("/soap/**")
.authorizeRequests()
.anyRequest()
.hasRole("USER");
}
}
@Configuration
@Order(2)
public static class HTTPSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/soap/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
}
我意识到这不是一个很好的配置
I realize that this isn't a very good configuration as there are several cases in which from the browser or SOAP UI, things don't work as expected.
我的问题是:什么是实现的好方法?在某些情况下,从浏览器或SOAP UI来看,事情无法按预期进行。基于这些要求的安全性,我是否在此配置上步入正轨?
My questions would be: what would be a good way to implement security based on these requirements and am I on the right track with this configuration?
此外,我正在使用Spring Boot 1.3.2和Apache CXF 3.1.4
Also, I'm using Spring Boot 1.3.2 and Apache CXF 3.1.4
推荐答案
我最终得到了这个有效的配置:
I finally ended up with this configuration that works:
@Configuration
@EnableWebSecurity
public class MultiHttpSecurityConfig {
@Configuration
@Order(1)
public static class SOAPWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().ignoringAntMatchers("/soap/**")
.and()
.antMatcher("/soap/**")
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().requestCache().disable();
}
}
@Configuration
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login").permitAll()
.and()
.logout().permitAll();
}
}
}
这篇关于用于基本身份验证和表单登录的Spring Security配置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!