在Spring Security Java Config中创建多个HTTP部分 [英] Creating multiple HTTP sections in Spring Security Java Config
问题描述
使用Spring Security XML配置,您可以定义多个HTTP元素,以便为应用程序的不同部分指定不同的访问规则。 8.6高级命名空间配置定义应用程序的单独的有状态和无状态部分,前者使用会话和表单登录,后者不使用会话和BASIC身份验证:
Using Spring Security XML configuration, you can define multiple HTTP elements to specify different access rules for different parts of your application. The example given in 8.6 Advanced Namespace Configuration defines separate stateful and stateless sections of the application, with the former using sessions and form login, and the latter using no sessions and BASIC authentication:
<!-- Stateless RESTful service using Basic authentication -->
<http pattern="/restful/**" create-session="stateless">
<intercept-url pattern='/**' access='ROLE_REMOTE' />
<http-basic />
</http>
<!-- Empty filter chain for the login page -->
<http pattern="/login.htm*" security="none"/>
<!-- Additional filter chain for normal users, matching all other requests -->
<http>
<intercept-url pattern='/**' access='ROLE_USER' />
<form-login login-page='/login.htm' default-target-url="/home.htm"/>
<logout />
</http>
我无法弄清楚如何使用Java Config做同样的事情。重要的是我禁用会话并为我的Web服务使用不同的入口点。现在我有以下内容:
I can't figure out how to do the same thing with Java Config. It's important that I disable sessions and use a different entry point for my web services. Right now I have the following:
@Override
public void configure(WebSecurity security)
{
security.ignoring().antMatchers("/resource/**", "/favicon.ico");
}
@Override
protected void configure(HttpSecurity security) throws Exception
{
security
.authorizeRequests()
.anyRequest().authenticated()
.and().formLogin()
.loginPage("/login").failureUrl("/login?loginFailed")
.defaultSuccessUrl("/ticket/list")
.usernameParameter("username")
.passwordParameter("password")
.permitAll()
.and().logout()
.logoutUrl("/logout").logoutSuccessUrl("/login?loggedOut")
.invalidateHttpSession(true).deleteCookies("JSESSIONID")
.permitAll()
.and().sessionManagement()
.sessionFixation().changeSessionId()
.maximumSessions(1).maxSessionsPreventsLogin(true)
.sessionRegistry(this.sessionRegistryImpl())
.and().and().csrf()
.requireCsrfProtectionMatcher((r) -> {
String m = r.getMethod();
return !r.getServletPath().startsWith("/services/") &&
("POST".equals(m) || "PUT".equals(m) ||
"DELETE".equals(m) || "PATCH".equals(m));
});
}
使用此功能,我可以为我的网络服务禁用CSRF保护。但我真的需要一个完整的单独HTTP配置,以便我可以禁用会话并指定一个不同的入口点。我知道我可以使用 requestMatcher 或 requestMatchers 来限制它适用的URI,但它不会出现您可以使用它来创建单独的配置。这几乎就像我需要两个 configure(HttpSecurity security)方法。
Using this I was able to disable CSRF protection for my web services. But I really need a whole separate HTTP configuration so that I can disable sessions and specify a different entry point. I know I can use requestMatcher or requestMatchers to restrict the URIs that it applies to, but it doesn't appear that you can use this to create separate configurations. It's almost like I need two configure(HttpSecurity security) methods.
推荐答案
在Spring Security中,模仿Java中XML中多个< http> 元素的行为,为安全配置创建多个类。通常,为 HttpSecurity 的安全定义创建具有多个内部类的公共安全配置是最好/最简单的。参见这里的样本。
In Spring Security to mimic the behavior of multiple <http> elements from XML in Java config create multiple classes for security configuration. In general it is the best/easiest to create a common security configuration with multiple inner classes for the security definition for HttpSecurity. See here for a sample.
这里是Spring Security官方文档中的相关部分:
5.7 Multiple HttpSecurity
And here the related section in the official Spring Security documentation:
5.7 Multiple HttpSecurity
这篇关于在Spring Security Java Config中创建多个HTTP部分的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
