Spring security 配置两个安全配置时发生未经授权的错误
我通过扩展Spring security 配置两个安全配置时发生未经授权的错误,spring-security,spring-security-rest,Spring Security,Spring Security Rest,我通过扩展websecurityconfigureradicator使用两种安全配置,如下所示 @Configuration @Order(100) public class CustomerSecurityAppConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws Exce
websecurityconfigureradicator
使用两种安全配置,如下所示
@Configuration
@Order(100)
public class CustomerSecurityAppConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user1")
.password("{noop}password")
.and()
.withUser("user2")
.password("{noop}password")
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors().disable();
http
.authorizeRequests()
.antMatchers("/customers/**")
.anyRequest()
.authenticated()
.and()
.formLogin()
.and()
.httpBasic();
}
}
@Configuration
class EmployeeSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("admin")
.password("{noop}password")
.roles("USER", "ADMIN")
.and()
.withUser("user")
.password("{noop}password")
.roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors().disable();
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/inventory/**")
.hasAnyRole("USER", "ADMIN")
.antMatchers(HttpMethod.POST, "/inventory/**")
.hasRole("ADMIN")
.anyRequest()
.authenticated()
.and()
.formLogin()
.and()
.httpBasic();
}
}
http
.requestMatchers().antMatchers("/actuator/**")
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.and()
.httpBasic();
这里的想法是有两个领域
。一个用于客户,一个用于订单。当我发出HTTP请求时,对于配置为CustomerSecurityConfiguration
的用户,/inventory
和/customers
端点,我得到200 OK
响应,对于配置为EmployeeSecurityConfiguration
的两个用户,我得到401
错误。对于GET
和POST
的inventory
和customers
我有两个REST端点。
我哪里出错了?我必须为http添加请求匹配器,如下所示
@Configuration
@Order(100)
public class CustomerSecurityAppConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user1")
.password("{noop}password")
.and()
.withUser("user2")
.password("{noop}password")
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors().disable();
http
.authorizeRequests()
.antMatchers("/customers/**")
.anyRequest()
.authenticated()
.and()
.formLogin()
.and()
.httpBasic();
}
}
@Configuration
class EmployeeSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("admin")
.password("{noop}password")
.roles("USER", "ADMIN")
.and()
.withUser("user")
.password("{noop}password")
.roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors().disable();
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/inventory/**")
.hasAnyRole("USER", "ADMIN")
.antMatchers(HttpMethod.POST, "/inventory/**")
.hasRole("ADMIN")
.anyRequest()
.authenticated()
.and()
.formLogin()
.and()
.httpBasic();
}
}
http
.requestMatchers().antMatchers("/actuator/**")
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.and()
.httpBasic();
您可以检查
AuthenticationManagerBuilder
build-up后面的spring实现的源代码,多个配置可能不会合并,而是可能会被覆盖。就像第二个加载的覆盖第一个。您是否在每个配置类上设置了断点?我猜EmployeeSecurityConfiguration
不起作用,因为它是在CustomerSecurityConfiguration
@Tiina之前加载的。两个安全筛选器链都必须配置RequestMatcher
,否则默认为RequestMatcher
和any
。我们需要为不同的域创建单独的安全过滤器链。