Spring Boot 中的多个 WebSecurityConfigurerAdapter 用于多种模式 [英] Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns

问题描述

我正在尝试为我的项目设置多个 WebsecurityConfigurerAdapter，其中 Spring Boot 执行器 API 使用基本身份验证进行保护，所有其他端点使用 JWtAuthentication 进行身份验证.我只是无法让它一起工作，只有较低顺序的配置才有效.我正在使用 Spring Boot 2.1.5.RELEASE

I am trying to set up multiple WebsecurityConfigurerAdapter for my project where the spring boot actuator APIs are secured using basic auth and all other endpoints are authenticated using JWtAuthentication. I am just not able to make it work together, only the config with the lower order works. I am using Spring Boot 2.1.5.RELEASE

带有 JWT 身份验证器的安全配置一

Security Config One with JWT Authenticator

@Order(1)
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    private static final String[] AUTH_WHITELIST = {
        "/docs/**",
        "/csrf/**",
        "/webjars/**",
        "/**swagger**/**",
        "/swagger-resources",
        "/swagger-resources/**",
        "/v2/api-docs"
};

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers(AUTH_WHITELIST).permitAll()
            .antMatchers("/abc/**", "/abc/pdf/**").hasAuthority("ABC")
            .antMatchers("/ddd/**").hasAuthority("DDD")
            .and()
            .csrf().disable()
            .oauth2ResourceServer().jwt().jwtAuthenticationConverter(new GrantedAuthoritiesExtractor());
   }
}

带有用户名/密码的基本身份验证配置

The basic Auth config with username/password

@Order(2)
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {

/*    @Bean
public UserDetailsService userDetailsService(final PasswordEncoder encoder) {
    final InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
    manager.createUser(
            User
                    .withUsername("user1")
                    .password(encoder.encode("password"))
                    .roles("ADMIN")
                    .build()
    );
    return manager;
}

@Bean PasswordEncoder encoder(){
    return new BCryptPasswordEncoder();
}*/

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/actuator/**").hasRole("ADMIN")
            .and()
            .httpBasic();
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication().withUser("user1").password("password").authorities("ADMIN");
  }
}

我已经尝试让它工作很多天了，但不能让它们一起工作.如果我交换订单，则只有基本身份验证有效，而 JWT 身份验证管理器无效.

I have been trying to make it work for many days but cannot make both of them work together. If i swap the order, only basic auth works and not the JWT Auth Manager.

我经历了很多 SOF 问题，比如

I have gone through a lot of SOF Questions, like

[Spring Boot 安全性 - 多个 WebSecurityConfigurerAdapter

[spring 中有多个 WebSecurityConfigurerAdapter 的问题-开机

[https://github.com/spring-projects/spring-security/issues/5593][1]

[https://www.baeldung.com/spring-security-multiple-entry-points][1]

似乎没有任何效果，这是 Spring 中的已知问题吗?

Nothing seems to be working, is this a known issue in Spring?

推荐答案

要使用多个 WebsecurityConfigurerAdapter，您需要使用 RequestMatcher.

To use multiple WebsecurityConfigurerAdapter, you need restrict them to specific URL patterns using RequestMatcher.

在您的情况下，您可以为 ActuatorSecurityConfig 设置更高的优先级，并将其仅限于执行器端点:

In your case you can set a higher priority for ActuatorSecurityConfig and limit it only to actuator endpoints:

@Order(-1)
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .requestMatchers().antMatchers("/actuator/**")
                .and()
                .authorizeRequests().anyRequest().hasRole("ADMIN")
                .and()
                .httpBasic();
    }
}

这篇关于Spring Boot 中的多个 WebSecurityConfigurerAdapter 用于多种模式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！