如何使用基于java的配置创建两个http安全配置?

时间:2014-10-08 15:26:53

标签: java spring-security

在XML配置中,我可以创建以下内容:

<security:http pattern="/api/**"
               create-session="never"
               use-expressions="true">
  <security:http-basic entry-point-ref="xBasicAuthenticationEntryPoint"/>
  <security:session-management />
  <security:intercept-url pattern="/tests/**" access="isAuthenticated()"/>
  <security:intercept-url pattern="/api/**" access="isAuthenticated()"/>
</security:http>

<security:http auto-config="true" use-expressions="true" realm="ACME">
  <security:intercept-url pattern="/favicon.ico" access="permitAll" />
  <security:intercept-url pattern="/static/**" access="permitAll"/>
  <security:intercept-url pattern="/error/**" access="permitAll" />
  <security:intercept-url pattern="/" access="permitAll"/>
  <security:intercept-url pattern="/login" access="permitAll"/>
  <security:intercept-url pattern="/logout" access="isAuthenticated()"/>
  <security:form-login login-page='/login'
                       authentication-failure-url="/login?error"/>
  <security:logout logout-url="/logout" logout-success-url="/"/>
</security:http>

如果没有会话,这将允许对/api/**的所有呼叫都不尝试对用户进行身份验证。

如何使用基于Java的配置创建相同的配置?

我的WebSecurityConfigurerAdapter#configure(HttpSecurity)方法如下所示:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.addFilter(switchUserFilter())
        .authorizeRequests()
        .antMatchers("/").permitAll()
        .antMatchers("/static/**").permitAll()
        .anyRequest().authenticated()
        .and().formLogin()
              .loginPage("/login")
              .permitAll()
              .defaultSuccessUrl("/")
        .and().logout()
              .logoutUrl("/logout")
              .logoutSuccessUrl("/");
}

1 个答案:

答案 0 :(得分:5)

在“安全性参考手册”中明确指出,您使用@Configuration注释添加尽可能多的@Order()带注释的内部类,以指定首先检查的内容。在您的示例中,它可能看起来像:

@Order(1)
@Configuration
private static class ApiSecurityConfigurationAdapter
        extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/api/**")
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
            .and.httpBasic().authenticationEntryPoint(xBasicAuthenticationEntryPoint)
            .and.authorizeRequests()
                .anyRequest().authenticated();
    }
}

@Configuration
private static class NormalSecurityConfigurationAdapter
        extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilter(switchUserFilter())
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/static/**").permitAll()
            .anyRequest().authenticated()
            .and().formLogin()
                  .loginPage("/login")
                  .permitAll()
                  .defaultSuccessUrl("/")
            .and().logout()
                  .logoutUrl("/logout")
                  .logoutSuccessUrl("/");
    }
}
相关问题
最新问题