如何允许“/api/**"通过我的基本身份验证配置并进入 Spring Security 中的 oauth 配置 [英] How to allow "/api/**" through my basic auth config and into my oauth config in Spring Security

问题描述

我有一个同时使用 Basic Auth 和 OAuth2 的应用.

I have an app that uses both Basic Auth and OAuth2.

部分 URL 使用 Basic Auth 授权，/api/**"使用 OAuth2 授权.

Some URLs are authorized using Basic Auth and "/api/**" is authorized using OAuth2.

目前，我有两个 Java 配置文件(WebSecurityConfigurerAdapter 和 ResourceServerConfigurerAdapter)

Currently, I have two Java config files (WebSecurityConfigurerAdapter and ResourceServerConfigurerAdapter)

每个配置文件都定义了一个 public void configure(HttpSecurity http) 方法.

Each of the config files define a public void configure(HttpSecurity http) method.

我遇到的问题是我需要一种优雅的方式来告诉我的应用程序是使用基本身份验证还是 oauth2 给定 url 请求.

The trouble I'm having is that I need an elegant way to tell my app whether to use basic auth or oauth2 given the url request.

目前我正在使用 requestMatchers 来实现这一点:

Currently I'm using requestMatchers to make this happen:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
  @Override
  protected void configure(HttpSecurity http) throws Exception
  {
    http
      .csrf().disable()
    .requestMatchers()
      .antMatchers("/*", "/login/**", "/reviews/**")
    .and()
    .authorizeRequests()
      .antMatchers("/*").permitAll()
      .antMatchers("/js/**").permitAll()
      .antMatchers("/img/**").permitAll()
    .formLogin()
      .loginPage("/login")
      .successHandler(loginSuccessPostHandler)
      .permitAll()
      .and()
    .logout()
      .logoutSuccessUrl("/").permitAll()
      .and()
    .apply(getSpringSocialConfigurer());
  }
}

@Configuration
public class OAuth2ServerConfig
{
  @Configuration
  @EnableResourceServer
  protected static class Oauth2ServerConfig extends ResourceServerConfigurerAdapter
  {
    @Override
    public void configure(HttpSecurity http) throws Exception
    {
      http.httpBasic().disable();
      http.csrf().disable();

      http.requestMatchers()
        .antMatchers("/api/**")
        .and()
      .authorizeRequests()
        .antMatchers("/api/v1/**").access("#oauth2.hasScope('read')");  
    }
  }
}

问题是，每次我添加一个不是/api/**"的新 URL 时，我都需要将它添加到我的 WebSecurityConfig 的 requestMatcher 部分中......这可以将来会导致愚蠢的错误.

The problem is that every time I add a new URL that's NOT "/api/**", I'll need to add it into my WebSecurityConfig's requestMatcher section... this could lead to silly bugs in the future.

有没有办法基于负前瞻正则表达式进行 requestMatcher 搜索?我使用正则表达式尝试了这个: ^(?!/api) 但由于它实际上并不返回 MATCH 而只返回find == true"，它似乎没有得到工作完成.

Is there a way to have a requestMatcher search based on a negative lookahead regex? I tried this using the regex: ^(?!/api) but since it doesn't actually return a MATCH and only returns a "find == true", it doesn't seem to get the job done.

有什么想法/建议吗?

推荐答案

您可以使用 NegatedRequestMatcher:

一个RequestMatcher，它将否定传入的RequestMatcher.例如，如果传入的RequestMatcher 返回true，则NegatedRequestMatcher 将返回false.如果传入的 RequestMatcher 返回 false，则 NegatedRequestMatcher 将返回 true.

A RequestMatcher that will negate the RequestMatcher passed in. For example, if the RequestMatcher passed in returns true, NegatedRequestMatcher will return false. If the RequestMatcher passed in returns false, NegatedRequestMatcher will return true.

这篇关于如何允许“/api/**"通过我的基本身份验证配置并进入 Spring Security 中的 oauth 配置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！