Spring boot - 如何配置多个登录页面? [英] Spring boot - how to configure multiple login pages?
问题描述
我们与我的团队一起使用 Spring Boot 编写了 Spring 应用程序 + SAPUI5 门户.Web 应用程序分为三个独立的位置,例如:
With my team we have written Spring application + SAPUI5 portal using Spring Boot. Web application is divided into three separate locations for example:
网络应用:- 应用程序1- 应用程序2- 应用3
webapp: - app1 - app2 - app3
为了访问这些应用程序,我们实施了登录页面.根据用户角色,我们将用户重定向到确切的应用.
To get access to those applications we implemented login page. Based on user role, we redirect users to exact app.
我的 spring 应用程序安全看起来像:
my spring application security looks like:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/app1/**/*.*")
.permitAll()
.antMatchers("/register.html")
.permitAll()
//
.antMatchers("/app2/*.*")
.hasRole("USER")
//
//
.antMatchers("/login*")
.permitAll()
.antMatchers("/soap/*")
.permitAll()
.antMatchers("/postLogin")
.authenticated()
//
.antMatchers("/app3/*")
//.permitAll()
.hasRole("ADMIN")
//
.anyRequest()
.authenticated()
// log in
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error=loginError")
.defaultSuccessUrl("/postLogin")
// logout
.and().logout().logoutUrl("/**/logout")
.logoutSuccessUrl("/login").deleteCookies("JSESSIONID").and()
.csrf()
.disable()
当然,我们有重定向类.现在我们必须为每个应用程序提供不同的登录页面.我试图将 spring 安全配置为在不同页面上接受多个登录表单,但它不起作用.是否可以?我阅读了文档,但没有定论.
and of course we have class with redirections. Now we must provide for each app , different login page. I tried to configure spring security to accept multiple login form on different pages but it don't work. Is it possible? I read documentation but it is inconclusive.
推荐答案
您应该能够通过使用不同实例配置多个 HttpSecurity 对象来做到这一点.它类似于 this question 和 Spring Security 此处的文档.基本上,您在扩展 WebSecurityConfigurerAdapter 的配置类中定义了多个静态类.我自己使用它来根据 URLS 配置不同类型的身份验证(表单/基本),并进行了快速测试以确认它.我相信在你的例子中是这样的(如果我正确地阅读了你的意图):
You should be able to do this by configuring multiple HttpSecurity objects using different instances. It is similar to this question and the Spring Security documentation here. Basically you define multiple static classes in your configuration class that extend WebSecurityConfigurerAdapter. I am using this myself to configure different types of auth (form/basic) based on the URLS and did a quick test to confirm it. I believe something like this in your example (if I am reading your intent correctly):
@EnableWebSecurity
public class MultiHttpSecurityConfig {
@Configuration
@Order(1)
public static class App1ConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/app1/**/*.*")
.permitAll()
.antMatchers("/register.html")
.permitAll()
.anyRequest()
.authenticated()
// log in
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error=loginError")
.defaultSuccessUrl("/postLogin")
// logout
.and().logout().logoutUrl("/**/logout")
.logoutSuccessUrl("/login").deleteCookies("JSESSIONID").and()
.csrf()
.disable();
}
}
@Configuration
public static class App2ConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/app2/*.*")
.hasRole("USER")
// log in
.and()
.formLogin()
.loginPage("/login2")
.failureUrl("/login2?error=loginError")
.defaultSuccessUrl("/postLogin")
// logout
.and().logout().logoutUrl("/**/logout")
.logoutSuccessUrl("/login2").deleteCookies("JSESSIONID").and()
.csrf()
.disable();
}
}
}
请注意,这些并不是真正不同的应用程序实例,因此如果您以特定用户身份进行身份验证,然后转到您未获授权的区域,您将不会被重定向到登录名.
Note that these are not really different application instances so you won't be redirected to a login if you authenticate as a certain user and then go to an area where you are not authorized.
这篇关于Spring boot - 如何配置多个登录页面?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
