结合SpringHTTP基本身份验证和访问令牌
如何将SpringHTTP基本身份验证和访问令牌结合起来,使两者同时工作?在我的情况下,只有订单(1)的配置才有效 我希望所有的*/api**/*将只对使用令牌的用户进行访问,而*/web**/*将只对登录用户进行访问 WebSecurityConfig.java结合SpringHTTP基本身份验证和访问令牌,spring,spring-security-oauth2,Spring,Spring Security Oauth2,如何将SpringHTTP基本身份验证和访问令牌结合起来,使两者同时工作?在我的情况下,只有订单(1)的配置才有效 我希望所有的*/api**/*将只对使用令牌的用户进行访问,而*/web**/*将只对登录用户进行访问 WebSecurityConfig.java @Configuration @EnableWebMvcSecurity @Order(1) public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Configuration
@EnableWebMvcSecurity
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/web/**", "/gopr").authenticated().and().authorizeRequests()
.and()
.formLogin().loginPage("/login").permitAll()
.defaultSuccessUrl("/gopr", true).permitAll().and().logout().logoutSuccessUrl("/login").permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
}
@SpringBootApplication
@EnableResourceServer
@Order(2)
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients.inMemory()
.withClient("my-trusted-client")
.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit", "client_credentials")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust")
.resourceIds("oauth2-resource")
.secret("password")
.accessTokenValiditySeconds(600);
// @formatter:on
}
}
@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/web/**", "/login", "/index", "/").permitAll()
.antMatchers("/api/**").authenticated();
/* antMatchers("/web/**", "/gopr").permitAll().antMatchers("/api/**").authenticated(); */
}
}
}
创建安全筛选器时始终使用“requestMatchers()”。这样,当创建多个过滤器链时,将不使用第一个过滤器链 将两个WebSecurityConfig.java修改为:
@Configuration
@EnableWebMvcSecurity
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/web/**", "/gopr")
.and()
.authorizeRequests().antMatchers("/web/**", "/gopr").authenticated().
.and()
.formLogin().loginPage("/login").permitAll()
.defaultSuccessUrl("/gopr", true).permitAll().and().logout().logoutSuccessUrl("/login").permitAll();
}
...
}
@Configuration
@EnableResourceServer
protected static class ResourceServer extends
ResourceServerConfigurerAdapter {
...
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/api/**").and()
.authorizeRequests().antMatchers("/api/**").authenticated();
}
}