具有多个端点的Spring安全性
我正在为我的web应用程序使用http基本身份验证。它有多个点。我的要求是对用户进行一次身份验证,并访问这些不同的端点。下面是当前的Spring安全配置具有多个端点的Spring安全性,spring,spring-security,Spring,Spring Security,我正在为我的web应用程序使用http基本身份验证。它有多个点。我的要求是对用户进行一次身份验证,并访问这些不同的端点。下面是当前的Spring安全配置 <context:component-scan base-package="com.test.security" /> <sec:http use-expressions="true"> <sec:intercept-url pattern="/**" access="hasAnyRole('Admin
<context:component-scan base-package="com.test.security" />
<sec:http use-expressions="true">
<sec:intercept-url pattern="/**" access="hasAnyRole('Admin','Data Operator','Data Collector')" />
<sec:http-basic />
</sec:http>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider
user-service-ref="myAuthenticationProvider">
<sec:password-encoder ref="encoder" />
</sec:authentication-provider>
</sec:authentication-manager>
<bean id="myAuthenticationProvider"
class="com.test.security.MyUserDetailsService" />
<bean id="encoder"
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder">
</bean>
下面是身份验证提供者的实现
package com.test.security;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import com.test.business.objects.Adminrole;
import com.test.business.objects.Adminuser;
import com.test.business.repository.AdminroleRepository;
import com.test.repository.AdminuserRepository;
@Service
public class MyUserDetailsService implements UserDetailsService{
@Autowired
private AdminuserRepository adminuserRepository;
@Autowired
private AdminroleRepository adminroleRepository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException{
//find admin user by user name
List<Adminuser> adminUsers = adminuserRepository.findByUsername(username);
Adminuser adminUser = adminUsers.get(0);
//find admin roles by user
List<Adminrole> adminRoles = adminroleRepository.getAdminRolesByUserId(adminUser.getUserid());
//create user details object
MyUserDetails userdetails = new MyUserDetails(adminUser, adminRoles);
return userdetails;
}
}
为什么要使用http basic,因为它不安全。另外,不要使用MD5密码编码器,不安全,请使用BCrypt。此外,您的截取url表示从/开始的所有页面都应该有一个登录用户。如果是这种情况,那么用户将如何到达登录页面,因为登录页面将是/**的一部分。明白了吗?终点是什么意思?