Spring Boot 中的多个 WebSecurityConfigurerAdapter 用于多种模式 [英] Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
问题描述
我正在尝试为我的项目设置多个 WebsecurityConfigurerAdapter,其中 Spring Boot 执行器 API 使用基本身份验证进行保护,所有其他端点使用 JWtAuthentication 进行身份验证.我只是无法让它一起工作,只有较低顺序的配置才有效.我正在使用 Spring Boot 2.1.5.RELEASE
I am trying to set up multiple WebsecurityConfigurerAdapter for my project where the spring boot actuator APIs are secured using basic auth and all other endpoints are authenticated using JWtAuthentication. I am just not able to make it work together, only the config with the lower order works. I am using Spring Boot 2.1.5.RELEASE
带有 JWT 身份验证器的安全配置一
Security Config One with JWT Authenticator
@Order(1)
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private static final String[] AUTH_WHITELIST = {
"/docs/**",
"/csrf/**",
"/webjars/**",
"/**swagger**/**",
"/swagger-resources",
"/swagger-resources/**",
"/v2/api-docs"
};
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(AUTH_WHITELIST).permitAll()
.antMatchers("/abc/**", "/abc/pdf/**").hasAuthority("ABC")
.antMatchers("/ddd/**").hasAuthority("DDD")
.and()
.csrf().disable()
.oauth2ResourceServer().jwt().jwtAuthenticationConverter(new GrantedAuthoritiesExtractor());
}
}
带有用户名/密码的基本身份验证配置
The basic Auth config with username/password
@Order(2)
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
/* @Bean
public UserDetailsService userDetailsService(final PasswordEncoder encoder) {
final InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(
User
.withUsername("user1")
.password(encoder.encode("password"))
.roles("ADMIN")
.build()
);
return manager;
}
@Bean PasswordEncoder encoder(){
return new BCryptPasswordEncoder();
}*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/actuator/**").hasRole("ADMIN")
.and()
.httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user1").password("password").authorities("ADMIN");
}
}
我已经尝试让它工作很多天了,但不能让它们一起工作.如果我交换订单,则只有基本身份验证有效,而 JWT 身份验证管理器无效.
I have been trying to make it work for many days but cannot make both of them work together. If i swap the order, only basic auth works and not the JWT Auth Manager.
我经历了很多 SOF 问题,比如
I have gone through a lot of SOF Questions, like
[Spring Boot 安全性 - 多个 WebSecurityConfigurerAdapter
[spring 中有多个 WebSecurityConfigurerAdapter 的问题-开机
[https://github.com/spring-projects/spring-security/issues/5593][1]
[https://www.baeldung.com/spring-security-multiple-entry-points][1]
似乎没有任何效果,这是 Spring 中的已知问题吗?
Nothing seems to be working, is this a known issue in Spring?
推荐答案
要使用多个 WebsecurityConfigurerAdapter
,您需要使用 RequestMatcher
.
To use multiple WebsecurityConfigurerAdapter
, you need restrict them to specific URL patterns using RequestMatcher
.
在您的情况下,您可以为 ActuatorSecurityConfig
设置更高的优先级,并将其仅限于执行器端点:
In your case you can set a higher priority for ActuatorSecurityConfig
and limit it only to actuator endpoints:
@Order(-1)
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/actuator/**")
.and()
.authorizeRequests().anyRequest().hasRole("ADMIN")
.and()
.httpBasic();
}
}
这篇关于Spring Boot 中的多个 WebSecurityConfigurerAdapter 用于多种模式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!