提供配置弹簧安全性的方法? [英] Providing way to configure spring security?
问题描述
是否可以以从外部文件读取配置详细信息并相应配置的方式配置Spring安全性。
Is it possible to configure spring security in a way that it reads configuration details from external file and configures accordingly.
(我没有考虑在运行时更改配置。我说的是在启动时从文件中读取)
(I am not taking about changing config at runtime. I am talking about reading from a file at the time of startup)
我现有的 Sporing安全配置的示例是:
An example of my existing Sporing security config is:
@EnableWebSecurity
@Configuration
public class SecurityConfig {
@Bean
public UserDetailsService userDetailsService() throws Exception {
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("user").password("userPass").roles("USER").build());
manager.createUser(User.withUsername("admin").password("adminPass").roles("ADMIN").build());
return manager;
}
@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
public void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication().withUser("user").password("user").roles("USER");
auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN");
}
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/v1/**")
.authorizeRequests()
.antMatchers("/api/v1/**").authenticated()
.and()
.httpBasic();
}
}
@Configuration
@Order(2)
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
public void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication().withUser("user1").password("user").roles("USER");
auth.inMemoryAuthentication().withUser("admin1").password("admin").roles("ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/test/**")
.authorizeRequests()
.antMatchers("/api/test/**").authenticated()
.and()
.formLogin();
}
}
}
如你所见,我我正在使用多个配置(看看 Order()
注释)。我希望能够做的是在启动次数和配置类型时决定。示例第一个客户端可能希望有2个配置,例如 LdapConfig
和 SamlConfig
。其他人可能想要 LdapConfig
和 SqlConfig
,第三个可能需要4-5个配置。是否可以这样做?
As you can see, I am using multiple configurations (have a look at Order()
annotation). What I want to be able to do is decide at the time of startup number and types of configuration. Example first client may want to have 2 configs e.g.LdapConfig
and SamlConfig
. Other may want LdapConfig
and SqlConfig
and third may want 4-5 configs. Is it possible to do that?
注意:我没有使用Spring Boot
NOTE: I am not using Spring Boot
编辑
我为什么这样做的总结:
Summary of why I wnat it this way:
By 客户我指的是将购买我的产品的公司。 用户是指购买我产品的公司的实际最终用户。所以我把产品运到了3家公司。首先将其配置为 ldap auth flow 和 google-oauth2 auth flow 。第一家公司的用户将看到包含这两个选项的登录页面。公司2现在可能有 ldap auth flow 和 saml auth flow ,该公司的用户将看到这两个选项。该公司正在启动之前选择可用的选项。
By customer I mean the company that will be buying my product. And by users I mean the actual end users of the company that bought my product. So I shipped the product to 3 companies. First will configure it to have ldap auth flow and google-oauth2 auth flow. Users of this first company will be seeing a login page with these 2 options. Company 2 now might have a ldap auth flow and saml auth flow and users of that company will be seeing those 2 options. And the company is selecting the available options before startup.
推荐答案
可以使用Springs @Conditional
注释。
Selective loading of components can be achived with Springs @Conditional
annotation.
配置如下所示:
@Configuration(value = "some.security.config")
@Conditional(value = LoadSecurityConfigCondition.class)
public class SomeSecurityConfig {
// some code
}
@Configuration(value = "other.security.config")
@Conditional(value = LoadSecurityConfigCondition.class)
public class OtherSecurityConfig {
// other code
}
然后, LoadSecurityConfigCondition.class
决定组件是否已加载:
Then, the LoadSecurityConfigCondition.class
decides if the components are loaded:
@Component
public class LoadSecurityConfigCondition implements Condition {
@Override
public boolean matches(final ConditionContext context, final AnnotatedTypeMetadata metadata) {
boolean enabled = false;
if (metadata.isAnnotated(Configuration.class.getName())) {
final String name = (String) metadata.getAnnotationAttributes(Configuration.class.getName()).get("value");
if (StringUtils.isNotBlank(name)) {
/* Here you may load your config file and
* retrieve the information on wether to load
* the config identified by its name.
*/
enabled = ...;
}
}
return enabled;
}
}
在此示例中,现在可以创建配置条目使用 @Configuration
名称,后缀为 .enabled
以阐明其目的:
In this example, the config entries can now be created with the @Configuration
name, postfixed with .enabled
to clarify its purpose:
some.security.config.enabled=true
other.security.config.enabled=false
这篇关于提供配置弹簧安全性的方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!