Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/spring/14.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
无法使用JavaConfig配置两个HttpSecurity设置_Java_Spring_Spring Security - Fatal编程技术网
Fatal编程技术网
  • java/
  • 无法使用JavaConfig配置两个HttpSecurity设置

无法使用JavaConfig配置两个HttpSecurity设置

java spring spring-security

无法使用JavaConfig配置两个HttpSecurity设置,java,spring,spring-security,Java,Spring,Spring Security,我遵循了有关如何配置两个独立的HttpSecurity实例的建议: @Configuration @EnableWebSecurity public class SoWebSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(username -> { l

我遵循了有关如何配置两个独立的
HttpSecurity
实例的建议:

@Configuration
@EnableWebSecurity
public class SoWebSecurityConfig
{
  @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(username -> {
      log.info("\n\n\n *********  authenticating {} ************************************\n\n\n", username);
      return new User(username, "", asList(new SimpleGrantedAuthority("TV")));
    });
  }

  @Configuration
  @Order(1)
  public static class SwiperSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception { configureHttpSec(http, "/swiper"); }
  }

  @Configuration
  @Order(2)
  public static class TvSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception { configureHttpSec(http, "/tv"); }
  }

  static HttpSecurity configureHttpSec(HttpSecurity http, String urlBase) throws Exception {
    http   .csrf().disable()
           .exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint())
    .and() .authorizeRequests().antMatchers(urlBase+"/**").authenticated()
    .and() .httpBasic()
    .and() .logout().logoutUrl(urlBase+"/logout").logoutSuccessHandler((req,resp,auth) -> {})
    ;
    return http;
  }
}
在日志中,我确实看到创建了两个过滤器链:

2014-06-30 12:44:22 main INFO  o.s.s.w.DefaultSecurityFilterChain - Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.as
ync.WebAsyncManagerIntegrationFilter@806996, org.springframework.security.web.context.SecurityContextPersistenceFilter@1937eaff, org.springframework.security.web.header.HeaderWriterFilter@71e4b308, org.springfr
amework.security.web.authentication.logout.LogoutFilter@1d1cbd0f, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@9b9a327, org.springframework.security.web.savedrequest.RequestCach
eAwareFilter@4993febc, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@67064bdc, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@78b612c6, org.s
pringframework.security.web.session.SessionManagementFilter@6d11ceef, org.springframework.security.web.access.ExceptionTranslationFilter@6e7c351d, org.springframework.security.web.access.intercept.FilterSecurit
yInterceptor@571a01f9] 
2014-06-30 12:44:22 main INFO  o.s.s.w.DefaultSecurityFilterChain - Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.as
ync.WebAsyncManagerIntegrationFilter@30c1da48, org.springframework.security.web.context.SecurityContextPersistenceFilter@427ae189, org.springframework.security.web.header.HeaderWriterFilter@4784efd9, org.spring
framework.security.web.authentication.logout.LogoutFilter@187e5235, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@514de325, org.springframework.security.web.savedrequest.RequestC
acheAwareFilter@16a9eb2e, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@76332405, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@43a65cd8, or
g.springframework.security.web.session.SessionManagementFilter@3fba233d, org.springframework.security.web.access.ExceptionTranslationFilter@376c7d7d, org.springframework.security.web.access.intercept.FilterSecu
rityInterceptor@3b48e183]
但是只有我指定的带有顺序(1)的那一个会被实际使用;与另一个URL匹配的URL将不会得到身份验证

我还尝试更密切地跟踪文档,在
@Order(2)
配置中使用
anyRequest()
而不是ant matchers,但结果是一样的

我有什么办法来解决这个问题

我使用的是Spring 4.0.5和Spring Security 3.2.4。

您在一个关键方面没有遵循文档。你有

http.authorizeRequests().antMatchers(urlBase+"/**").authenticated()
这意味着您将此
HttpSecurity
注册为一个全局安全模块,该模块适用于所有URL,但只需要对使用Ant matcher选择的URL进行身份验证。当您这样做两次时,您将得到两个链接的全局安全模块,因此自然只有第一个模块负责所有URL

相反,文件建议:

http.antMatcher(urlBase+"/**").authorizeRequests().anyRequest().authenticated()
这意味着Ant matcher将用于选择此安全模块负责的URL,并将其用于所有其他模块。这样,第二个模块就可以在适当的时候获得机会

因此,您只需将静态配置器方法稍微调整为以下内容:

  static HttpSecurity configureHttpSec(HttpSecurity http, String urlBase) throws Exception {
    http   .csrf().disable()
           .exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint())
    .and() .antMatchers(urlBase+"/**").authorizeRequests().anyRequest().authenticated()
    .and() .httpBasic()
    .and() .logout().logoutUrl(urlBase+"/logout").logoutSuccessHandler((req,resp,auth) -> {})
    ;
    return http;
  }
您是否尝试过替换configureHttpSec(http,“/tv”);使用http.antMatcher(“/tv”)和http.antMatcher(“/swipe”)并在其下建立授权配置文件以反映差异?@Aeseir这正是我的问题所在:)太棒了!我多次阅读了文档中的示例,但仍然忽略了ant matcher应用于何处的细微差别。请取消删除您的答案,以便我可以接受。我将对其进行编辑,以便更好地强调问题的原因和解决方案。完成。很高兴我能帮忙。