我们可以基于 Mediatype 加载不同的安全配置，即 REST 之一和 Web 之一吗? [英] Can we load different security configuration based on Mediatype, i.e. One of REST and one for web?

问题描述

我已经开发了一个常规的 spring mvc 应用程序，并想添加一些用于开发移动应用程序的休息控制器.我已经编写了休息控制器和多弹簧安全配置.

I have developed a regular spring mvc application, and want to add some rest controller for developing mobile application. I have written rest controller, and multi spring security configurations.

问题是，它们是优先的，因此两者都被同时加载，整个应用程序崩溃了.我想根据它收到的请求类型来使用一个，例如，如果我从邮递员那里请求，休息API 安全配置应该有效，如果我们使用网络，则网络安全配置应该有效.

Problem is, they are in precedence, hence both are loaded at once, and whole application breaks down.I want to use one based upon what type of request it is getting, for example, If I am requesting from Postman, Rest API security configuration should work and if we are using web, web security configuration should work.

这是我的实现，我不知道如何实现，请建议正确的方法是什么.由于分离整个 Thymeleaf 和 MVC 控制器，并与 Angular 一起移动，现阶段是不可能的.

Here is my implementation, I don't know how to achieve that, Please suggest what is the right way to doing this. As separating whole Thymeleaf and MVC controller , and moving altogether with Angular is not possible at this stage.

请注意，我们在 /v1/ap1/** 中定义了所有 rest api，而所有其他 mvc 部分都在 /**

Please note that, we have all rest api defined in /v1/ap1/** and all other mvc part is in /**

任何意见，建议将不胜感激，这三天以来我的日子正在消逝.提前致谢

Any comments, suggestions would be much appreciated, it is killing my days since 3 days. Thanks in advance

@Configuration
@EnableWebSecurity
public class SecurityConfig {
     // ... other codes
     @Configuration
     @Order(1)
     public static class RestAPISecurity extends WebSecurityConfigurerAdapter {
       //.. other codes
       protected void configure(HttpSecurity http) throws Exception {
        http
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers("/api/signin/**").permitAll()
                .antMatchers("/api/v1/**").hasAnyAuthority("ADMIN", "USER")
                .antMatchers("/api/users/**").hasAuthority("ADMIN")
                .antMatchers("/api/v1/**").authenticated()
                .antMatchers("/login", "/logout", "/register", "/j_spring_security_check").permitAll()
                .anyRequest().authenticated()
                .and().exceptionHandling().authenticationEntryPoint(customAuthenticationEntryPoint).accessDeniedHandler(new CustomAccessDeniedHandler());
    }
// .. other codes
    @Configuration
    @Order(2)
    public static class MVCSecurityConfiguration extends WebSecurityConfigurerAdapter {
        //.. other codes
        // form login and other MVC stuffs
    }
}

推荐答案

您可以为第一个 spring 安全过滤器链添加一个请求匹配器，其他所有事情都转到第二个链

    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatcher(httpServletRequest -> {
              String userAgent = httpServletRequest.getHeader("User-Agent");      
              //If you want to check based on content type
              String contentType = httpServletRequest.getContentType();

              return userAgent.contains("....")
              //check what value postman sends as user agent and use it
            })
            .sessionManagement()
            ....
    }

这篇关于我们可以基于 Mediatype 加载不同的安全配置，即 REST 之一和 Web 之一吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！