Spring security 配置两个安全配置时发生未经授权的错误_Spring Security_Spring Security Rest

Spring security 配置两个安全配置时发生未经授权的错误

spring-security

Spring security 配置两个安全配置时发生未经授权的错误,spring-security,spring-security-rest,Spring Security,Spring Security Rest,我通过扩展websecurityconfigureradicator使用两种安全配置，如下所示 @Configuration @Order(100) public class CustomerSecurityAppConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws Exce

我通过扩展

websecurityconfigureradicator

使用两种安全配置，如下所示

@Configuration
@Order(100)
public class CustomerSecurityAppConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("user1")
                .password("{noop}password")
                .and()
                .withUser("user2")
                .password("{noop}password")
                
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.cors().disable();

        http
                .authorizeRequests()
                .antMatchers("/customers/**")
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                .and()
                .httpBasic();
    }
}

@Configuration
class EmployeeSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("admin")
                .password("{noop}password")
                .roles("USER", "ADMIN")
                .and()
                .withUser("user")
                .password("{noop}password")
                .roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.cors().disable();

        http
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/inventory/**")
                .hasAnyRole("USER", "ADMIN")
                .antMatchers(HttpMethod.POST, "/inventory/**")
                .hasRole("ADMIN")
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                .and()
                .httpBasic();
    }
}

    http
       .requestMatchers().antMatchers("/actuator/**")
       .and()
       .authorizeRequests()
       .anyRequest()
       .authenticated()
       .and()
       .formLogin()
       .and()
       .httpBasic();

这里的想法是有两个

领域

。一个用于客户，一个用于订单。当我发出HTTP请求时，对于配置为

CustomerSecurityConfiguration

的用户，

/inventory

和

/customers

端点，我得到

200 OK

响应，对于配置为

EmployeeSecurityConfiguration

的两个用户，我得到

错误。对于

GET

和

POST

的

inventory

和

customers

我有两个REST端点。

我哪里出错了？

我必须为http添加请求匹配器，如下所示

@Configuration
@Order(100)
public class CustomerSecurityAppConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("user1")
                .password("{noop}password")
                .and()
                .withUser("user2")
                .password("{noop}password")
                
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.cors().disable();

        http
                .authorizeRequests()
                .antMatchers("/customers/**")
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                .and()
                .httpBasic();
    }
}

@Configuration
class EmployeeSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("admin")
                .password("{noop}password")
                .roles("USER", "ADMIN")
                .and()
                .withUser("user")
                .password("{noop}password")
                .roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.cors().disable();

        http
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/inventory/**")
                .hasAnyRole("USER", "ADMIN")
                .antMatchers(HttpMethod.POST, "/inventory/**")
                .hasRole("ADMIN")
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                .and()
                .httpBasic();
    }
}

    http
       .requestMatchers().antMatchers("/actuator/**")
       .and()
       .authorizeRequests()
       .anyRequest()
       .authenticated()
       .and()
       .formLogin()
       .and()
       .httpBasic();

您可以检查

AuthenticationManagerBuilder

build-up后面的spring实现的源代码，多个配置可能不会合并，而是可能会被覆盖。就像第二个加载的覆盖第一个。您是否在每个配置类上设置了断点？我猜

EmployeeSecurityConfiguration

不起作用，因为它是在

CustomerSecurityConfiguration

@Tiina之前加载的。两个安全筛选器链都必须配置

RequestMatcher

，否则默认为

RequestMatcher

和

any

。我们需要为不同的域创建单独的安全过滤器链。