提供配置弹簧安全性的方法？ [英] Providing way to configure spring security?

问题描述

是否可以以从外部文件读取配置详细信息并相应配置的方式配置Spring安全性。

Is it possible to configure spring security in a way that it reads configuration details from external file and configures accordingly.

（我没有考虑在运行时更改配置。我说的是在启动时从文件中读取）

(I am not taking about changing config at runtime. I am talking about reading from a file at the time of startup)

我现有的 Sporing安全配置的示例是：

An example of my existing Sporing security config is:

@EnableWebSecurity
@Configuration
public class SecurityConfig {

    @Bean                                                             
    public UserDetailsService userDetailsService() throws Exception {
        InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
        manager.createUser(User.withUsername("user").password("userPass").roles("USER").build());
        manager.createUser(User.withUsername("admin").password("adminPass").roles("ADMIN").build());
        return manager;
    }


    @Configuration
    @Order(1)                                                        
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Override       
        public void configure(AuthenticationManagerBuilder auth) 
          throws Exception {            
            auth.inMemoryAuthentication().withUser("user").password("user").roles("USER");
            auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN");
        }

        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/api/v1/**")                               
                .authorizeRequests()
                .antMatchers("/api/v1/**").authenticated()
                    .and()
                .httpBasic();
        }
    }

    @Configuration
    @Order(2)
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Override       
        public void configure(AuthenticationManagerBuilder auth) 
          throws Exception {

            auth.inMemoryAuthentication().withUser("user1").password("user").roles("USER");
            auth.inMemoryAuthentication().withUser("admin1").password("admin").roles("ADMIN");
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/api/test/**")
                .authorizeRequests()
                .antMatchers("/api/test/**").authenticated()
                    .and()
                .formLogin();
        }
    }
}

如你所见，我我正在使用多个配置（看看 Order（）注释）。我希望能够做的是在启动次数和配置类型时决定。示例第一个客户端可能希望有2个配置，例如 LdapConfig 和 SamlConfig 。其他人可能想要 LdapConfig 和 SqlConfig ，第三个可能需要4-5个配置。是否可以这样做？

As you can see, I am using multiple configurations (have a look at Order() annotation). What I want to be able to do is decide at the time of startup number and types of configuration. Example first client may want to have 2 configs e.g.LdapConfig and SamlConfig. Other may want LdapConfig and SqlConfig and third may want 4-5 configs. Is it possible to do that?

注意：我没有使用Spring Boot

NOTE: I am not using Spring Boot

编辑

我为什么这样做的总结：

Summary of why I wnat it this way:

By 客户我指的是将购买我的产品的公司。 用户是指购买我产品的公司的实际最终用户。所以我把产品运到了3家公司。首先将其配置为 ldap auth flow 和 google-oauth2 auth flow 。第一家公司的用户将看到包含这两个选项的登录页面。公司2现在可能有 ldap auth flow 和 saml auth flow ，该公司的用户将看到这两个选项。该公司正在启动之前选择可用的选项。

By customer I mean the company that will be buying my product. And by users I mean the actual end users of the company that bought my product. So I shipped the product to 3 companies. First will configure it to have ldap auth flow and google-oauth2 auth flow. Users of this first company will be seeing a login page with these 2 options. Company 2 now might have a ldap auth flow and saml auth flow and users of that company will be seeing those 2 options. And the company is selecting the available options before startup.

推荐答案

可以使用Springs @Conditional 注释。

Selective loading of components can be achived with Springs @Conditional annotation.

配置如下所示：

@Configuration(value = "some.security.config")
@Conditional(value = LoadSecurityConfigCondition.class)
public class SomeSecurityConfig {
  // some code
}

@Configuration(value = "other.security.config")
@Conditional(value = LoadSecurityConfigCondition.class)
public class OtherSecurityConfig {
  // other code
}

然后， LoadSecurityConfigCondition.class 决定组件是否已加载：

Then, the LoadSecurityConfigCondition.class decides if the components are loaded:

@Component
public class LoadSecurityConfigCondition implements Condition {

  @Override
  public boolean matches(final ConditionContext context, final AnnotatedTypeMetadata metadata) {
    boolean enabled = false;

    if (metadata.isAnnotated(Configuration.class.getName())) {
      final String name = (String) metadata.getAnnotationAttributes(Configuration.class.getName()).get("value");
      if (StringUtils.isNotBlank(name)) {
        /* Here you may load your config file and 
         * retrieve the information on wether to load 
         * the config identified by its name.
         */
        enabled = ...;
      }
    }
    return enabled;
  }
}

在此示例中，现在可以创建配置条目使用 @Configuration 名称，后缀为 .enabled 以阐明其目的：

In this example, the config entries can now be created with the @Configuration name, postfixed with .enabled to clarify its purpose:

some.security.config.enabled=true
other.security.config.enabled=false

这篇关于提供配置弹簧安全性的方法？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！