Spring Security忽略多个HTTP配置

时间:2015-03-18 04:25:07

标签: java spring spring-mvc spring-security

我一直在开发一个带有Spring Security的Web应用程序,它有一些复杂的要求(支持数据库和LDAP身份验证,登录页面和API)我已经大部分都想到了,除了一件我无法得到的东西:处理多个http。我正在JAVA中做所有事情,没有web.xml。启用S​​pring调试后,它会识别所有三个,但它似乎只是将请求与第一个http进行比较,然后再继续。这是我的代码:

AppConfig.java

@Configuration
@ComponentScan( { "com.mydomain.security" } )
@Import( { SecurityConfig.class } )
public class AppConfig{
    ...
}

SecurityConfig.java

@Configuration
@EnableWebSecurity
public class SecurityConfig{

    @Autowired
    Config cfg;

    @Autowired
    LdapContextSource ldapContextSource;

    @Autowired
    @Qualifier( "authenticationProviderDB" )
    AuthenticationProvider authenticationProviderDB;

    @Autowired
    @Qualifier( "authenticationProviderLDAP" )
    AuthenticationProvider authenticationProviderLDAP;

    @Autowired
    @Qualifier( "persistentRememberMeServices" )
    static RememberMeServices persistentRememberMeServices;

    @Autowired
    @Qualifier( "tokenRepository" )
    CustomTokenRepository tokenRepository;

    @Autowired
    public void configureGlobal( AuthenticationManagerBuilder auth )throws Exception{
        auth.authenticationProvider( authenticationProviderLDAP );
        auth.authenticationProvider( authenticationProviderDB );
    }

    @Configuration
    @Order( 1 )                                                        
    public static class RestWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter{
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests().antMatchers( "/api/**" ).hasRole("ROLE_USER").and().httpBasic()
            .and().exceptionHandling().accessDeniedPage( "/security/api" )
        }
    }

    @Configuration                                                   
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter{
        @Override
        protected void configure( HttpSecurity http )throws Exception{
            http.authorizeRequests().antMatchers( "/**" ).hasRole("ROLE_USER")
            .and().formLogin().loginPage( "/security/login" ).failureUrl( "/security/login?error" ).usernameParameter( "username" ).passwordParameter( "password" )
            .loginProcessingUrl("/j_spring_valuehere")
            .and().rememberMe().rememberMeServices( persistentRememberMeServices ).key( "key" )
            .and().addFilterBefore( (Filter)new CustomErrorHandlerFilter(), RememberMeAuthenticationFilter.class)
            .csrf().disable();
        }
    }
}

日志

8075 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy  - /index.jsp at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
8076 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher  - Checking match of request : '/index.jsp'; against '/security/**'
8076 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor  - Public object - authentication not attempted
8077 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy  - /index.jsp reached end of additional filter chain; proceeding with original chain

非常感谢任何对我可能缺失的帮助。

1 个答案:

答案 0 :(得分:1)

尝试更改

http.authorizeRequests().antMatchers( "/api/**" ).hasRole("ROLE_USER").and().httpBasic()
        .and().exceptionHandling().accessDeniedPage( "/security/api" )

http.antMatcher("/api/**").authorizeRequests().antMatchers( "/api/**" ).hasRole("ROLE_USER").and().httpBasic()
        .and().exceptionHandling().accessDeniedPage( "/security/api" )

这将覆盖您设置的/**链。