在 Spring Security Java Config 中创建多个 HTTP 部分 [英] Creating multiple HTTP sections in Spring Security Java Config
问题描述
使用 Spring Security XML 配置,您可以定义多个 HTTP 元素来为应用程序的不同部分指定不同的访问规则.8.6 高级命名空间配置 定义了应用程序的独立的有状态和无状态部分,前者使用会话和表单登录,后者使用无会话和 BASIC 身份验证:
Using Spring Security XML configuration, you can define multiple HTTP elements to specify different access rules for different parts of your application. The example given in 8.6 Advanced Namespace Configuration defines separate stateful and stateless sections of the application, with the former using sessions and form login, and the latter using no sessions and BASIC authentication:
<!-- Stateless RESTful service using Basic authentication -->
<http pattern="/restful/**" create-session="stateless">
<intercept-url pattern='/**' access='ROLE_REMOTE' />
<http-basic />
</http>
<!-- Empty filter chain for the login page -->
<http pattern="/login.htm*" security="none"/>
<!-- Additional filter chain for normal users, matching all other requests -->
<http>
<intercept-url pattern='/**' access='ROLE_USER' />
<form-login login-page='/login.htm' default-target-url="/home.htm"/>
<logout />
</http>
我不知道如何用 Java Config 做同样的事情.重要的是我禁用会话并为我的 Web 服务使用不同的入口点.现在我有以下几点:
I can't figure out how to do the same thing with Java Config. It's important that I disable sessions and use a different entry point for my web services. Right now I have the following:
@Override
public void configure(WebSecurity security)
{
security.ignoring().antMatchers("/resource/**", "/favicon.ico");
}
@Override
protected void configure(HttpSecurity security) throws Exception
{
security
.authorizeRequests()
.anyRequest().authenticated()
.and().formLogin()
.loginPage("/login").failureUrl("/login?loginFailed")
.defaultSuccessUrl("/ticket/list")
.usernameParameter("username")
.passwordParameter("password")
.permitAll()
.and().logout()
.logoutUrl("/logout").logoutSuccessUrl("/login?loggedOut")
.invalidateHttpSession(true).deleteCookies("JSESSIONID")
.permitAll()
.and().sessionManagement()
.sessionFixation().changeSessionId()
.maximumSessions(1).maxSessionsPreventsLogin(true)
.sessionRegistry(this.sessionRegistryImpl())
.and().and().csrf()
.requireCsrfProtectionMatcher((r) -> {
String m = r.getMethod();
return !r.getServletPath().startsWith("/services/") &&
("POST".equals(m) || "PUT".equals(m) ||
"DELETE".equals(m) || "PATCH".equals(m));
});
}
使用它,我能够为我的 Web 服务禁用 CSRF 保护.但我真的需要一个完全独立的 HTTP 配置,以便我可以禁用会话并指定不同的入口点.我知道我可以使用 requestMatcher 或 requestMatchers 来限制它适用的 URI,但您似乎不能使用它来创建单独的配置.这几乎就像我需要两个 configure(HttpSecurity security) 方法.
Using this I was able to disable CSRF protection for my web services. But I really need a whole separate HTTP configuration so that I can disable sessions and specify a different entry point. I know I can use requestMatcher or requestMatchers to restrict the URIs that it applies to, but it doesn't appear that you can use this to create separate configurations. It's almost like I need two configure(HttpSecurity security) methods.
推荐答案
在 Spring Security 中模仿多个 <http> 元素在 Java 配置中来自 XML 的行为,为安全配置创建多个类.通常,最好/最容易为 HttpSecurity 的安全定义创建具有 多个内部类 的通用安全配置.见 此处 获取示例.
In Spring Security to mimic the behavior of multiple <http> elements from XML in Java config create multiple classes for security configuration. In general it is the best/easiest to create a common security configuration with multiple inner classes for the security definition for HttpSecurity. See here for a sample.
这里是官方 Spring Security 文档中的相关部分:
5.7 多重HttpSecurity
And here the related section in the official Spring Security documentation:
5.7 Multiple HttpSecurity
这篇关于在 Spring Security Java Config 中创建多个 HTTP 部分的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
