无法使用JavaConfig配置两个HttpSecurity设置
我遵循了有关如何配置两个独立的无法使用JavaConfig配置两个HttpSecurity设置,java,spring,spring-security,Java,Spring,Spring Security,我遵循了有关如何配置两个独立的HttpSecurity实例的建议: @Configuration @EnableWebSecurity public class SoWebSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(username -> { l
HttpSecurity
实例的建议:
@Configuration
@EnableWebSecurity
public class SoWebSecurityConfig
{
@Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(username -> {
log.info("\n\n\n ********* authenticating {} ************************************\n\n\n", username);
return new User(username, "", asList(new SimpleGrantedAuthority("TV")));
});
}
@Configuration
@Order(1)
public static class SwiperSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception { configureHttpSec(http, "/swiper"); }
}
@Configuration
@Order(2)
public static class TvSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception { configureHttpSec(http, "/tv"); }
}
static HttpSecurity configureHttpSec(HttpSecurity http, String urlBase) throws Exception {
http .csrf().disable()
.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint())
.and() .authorizeRequests().antMatchers(urlBase+"/**").authenticated()
.and() .httpBasic()
.and() .logout().logoutUrl(urlBase+"/logout").logoutSuccessHandler((req,resp,auth) -> {})
;
return http;
}
}
在日志中,我确实看到创建了两个过滤器链:
2014-06-30 12:44:22 main INFO o.s.s.w.DefaultSecurityFilterChain - Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.as
ync.WebAsyncManagerIntegrationFilter@806996, org.springframework.security.web.context.SecurityContextPersistenceFilter@1937eaff, org.springframework.security.web.header.HeaderWriterFilter@71e4b308, org.springfr
amework.security.web.authentication.logout.LogoutFilter@1d1cbd0f, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@9b9a327, org.springframework.security.web.savedrequest.RequestCach
eAwareFilter@4993febc, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@67064bdc, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@78b612c6, org.s
pringframework.security.web.session.SessionManagementFilter@6d11ceef, org.springframework.security.web.access.ExceptionTranslationFilter@6e7c351d, org.springframework.security.web.access.intercept.FilterSecurit
yInterceptor@571a01f9]
2014-06-30 12:44:22 main INFO o.s.s.w.DefaultSecurityFilterChain - Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.as
ync.WebAsyncManagerIntegrationFilter@30c1da48, org.springframework.security.web.context.SecurityContextPersistenceFilter@427ae189, org.springframework.security.web.header.HeaderWriterFilter@4784efd9, org.spring
framework.security.web.authentication.logout.LogoutFilter@187e5235, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@514de325, org.springframework.security.web.savedrequest.RequestC
acheAwareFilter@16a9eb2e, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@76332405, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@43a65cd8, or
g.springframework.security.web.session.SessionManagementFilter@3fba233d, org.springframework.security.web.access.ExceptionTranslationFilter@376c7d7d, org.springframework.security.web.access.intercept.FilterSecu
rityInterceptor@3b48e183]
但是只有我指定的带有顺序(1)的那一个会被实际使用;与另一个URL匹配的URL将不会得到身份验证
我还尝试更密切地跟踪文档,在@Order(2)
配置中使用anyRequest()
而不是ant matchers,但结果是一样的
我有什么办法来解决这个问题
我使用的是Spring 4.0.5和Spring Security 3.2.4。您在一个关键方面没有遵循文档。你有
http.authorizeRequests().antMatchers(urlBase+"/**").authenticated()
这意味着您将此HttpSecurity
注册为一个全局安全模块,该模块适用于所有URL,但只需要对使用Ant matcher选择的URL进行身份验证。当您这样做两次时,您将得到两个链接的全局安全模块,因此自然只有第一个模块负责所有URL
相反,文件建议:
http.antMatcher(urlBase+"/**").authorizeRequests().anyRequest().authenticated()
这意味着Ant matcher将用于选择此安全模块负责的URL,并将其用于所有其他模块。这样,第二个模块就可以在适当的时候获得机会
因此,您只需将静态配置器方法稍微调整为以下内容:
static HttpSecurity configureHttpSec(HttpSecurity http, String urlBase) throws Exception {
http .csrf().disable()
.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint())
.and() .antMatchers(urlBase+"/**").authorizeRequests().anyRequest().authenticated()
.and() .httpBasic()
.and() .logout().logoutUrl(urlBase+"/logout").logoutSuccessHandler((req,resp,auth) -> {})
;
return http;
}
您是否尝试过替换configureHttpSec(http,“/tv”);使用http.antMatcher(“/tv”)和http.antMatcher(“/swipe”)并在其下建立授权配置文件以反映差异?@Aeseir这正是我的问题所在:)太棒了!我多次阅读了文档中的示例,但仍然忽略了ant matcher应用于何处的细微差别。请取消删除您的答案,以便我可以接受。我将对其进行编辑,以便更好地强调问题的原因和解决方案。完成。很高兴我能帮忙。