Spring Boot + 安全性 + 多 HTTP Web 配置 [英] Spring Boot + Security + Multi HTTP Web Configuration

查看:44
本文介绍了Spring Boot + 安全性 + 多 HTTP Web 配置的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试使用具有弹簧安全性的 spring-boot 来做一个示例.我的想法是创建一个 Web 应用程序并提供一个 API,我希望两者都有安全性;所以我需要创建一个多 http 网络安全配置,但它不起作用.

I'm trying to do an example using spring-boot with spring security. My idea is to create a web app and also provide an API, I would like to both have security; so I need to create a multi http web security configuration however it is not working.

我点击了这个链接 http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity 但没有成功.而且,我收到此错误

I followed this link http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity but no success. And, I'm getting this error

创建名为webSecurityConfiguration"的 bean 时出错:自动装配依赖项的注入失败;嵌套异常是 java.lang.IllegalStateException:无法将 org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer 应用于已构建的对象

我使用的配置如下:

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableGlobalAuthentication
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfiguration { 

@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { 
    auth
        .inMemoryAuthentication()
            .withUser("user").password("12345").roles("USER").and()
            .withUser("admin").password("12345").roles("USER", "ADMIN");
}

@Configuration
@Order(1)
public static class ApiConfigurationAdapter extends
        WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/api/**")
            .authorizeRequests()
                .anyRequest().hasRole("ADMIN")
                .and()
            .httpBasic();
    }
}

@Configuration
@Order(2)
public static class WebConfigurationAdapter extends
        WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
            .ignoring()
                .antMatchers("/resources/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()                    
                .antMatchers("/", "/home").permitAll()
            .anyRequest()
                .authenticated()
            .and()
                .formLogin()
                    .loginPage("/login").permitAll()
            .and()
                .logout().permitAll();
    }
    }
}

提前致谢

推荐答案

经过大量阅读后,我发现了一些对我有用的东西:

after a lot of reading I found something that works for me:

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfiguration extends GlobalAuthenticationConfigurerAdapter {

    @Resource(name = "customUserDetailsService")
    protected CustomUserDetailsService customUserDetailsService;

    @Resource
    private DataSource dataSource;

    @Autowired
    protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(customUserDetailsService);
    }

    @Configuration
    @Order(1)
    public static class ApiConfigurationAdapter extends WebSecurityConfigurerAdapter {
        @Resource(name = "restUnauthorizedEntryPoint")
        private RestUnauthorizedEntryPoint restUnauthorizedEntryPoint;
        @Resource(name = "restAccessDeniedHandler")
        private RestAccessDeniedHandler restAccessDeniedHandler;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityXAuthConfigurerAdapter = new XAuthTokenConfigurer(
                    userDetailsServiceBean());

            // @formatter:off
            http
                .antMatcher("/api/**").csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .exceptionHandling()
                    .authenticationEntryPoint(restUnauthorizedEntryPoint)
                    .accessDeniedHandler(restAccessDeniedHandler)
                .and()
                    .authorizeRequests()
                        .antMatchers(HttpMethod.POST, "/api/authenticate").permitAll()
                        .anyRequest().hasRole("ADMIN")
                        .and()
                        .apply(securityXAuthConfigurerAdapter);
            // @formatter:on
        }
    }

    @Configuration
    @Order(2)
    public static class WebConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            // @formatter:off
            http
                .authorizeRequests()
                    .antMatchers("/", "/home").permitAll()
                    .anyRequest().authenticated()
                    .and()
                    .formLogin()
                        .loginPage("/login").permitAll()
                    .and()
                    .logout().permitAll()
            ;
            // @formatter:on
        }
    }
}

这篇关于Spring Boot + 安全性 + 多 HTTP Web 配置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆