我一直在开发一个带有Spring Security的Web应用程序,它有一些复杂的要求(支持数据库和LDAP身份验证,登录页面和API)我已经大部分都想到了,除了一件我无法得到的东西:处理多个http。我正在JAVA中做所有事情,没有web.xml。启用Spring调试后,它会识别所有三个,但它似乎只是将请求与第一个http进行比较,然后再继续。这是我的代码:
AppConfig.java
@Configuration
@ComponentScan( { "com.mydomain.security" } )
@Import( { SecurityConfig.class } )
public class AppConfig{
...
}
SecurityConfig.java
@Configuration
@EnableWebSecurity
public class SecurityConfig{
@Autowired
Config cfg;
@Autowired
LdapContextSource ldapContextSource;
@Autowired
@Qualifier( "authenticationProviderDB" )
AuthenticationProvider authenticationProviderDB;
@Autowired
@Qualifier( "authenticationProviderLDAP" )
AuthenticationProvider authenticationProviderLDAP;
@Autowired
@Qualifier( "persistentRememberMeServices" )
static RememberMeServices persistentRememberMeServices;
@Autowired
@Qualifier( "tokenRepository" )
CustomTokenRepository tokenRepository;
@Autowired
public void configureGlobal( AuthenticationManagerBuilder auth )throws Exception{
auth.authenticationProvider( authenticationProviderLDAP );
auth.authenticationProvider( authenticationProviderDB );
}
@Configuration
@Order( 1 )
public static class RestWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers( "/api/**" ).hasRole("ROLE_USER").and().httpBasic()
.and().exceptionHandling().accessDeniedPage( "/security/api" )
}
}
@Configuration
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter{
@Override
protected void configure( HttpSecurity http )throws Exception{
http.authorizeRequests().antMatchers( "/**" ).hasRole("ROLE_USER")
.and().formLogin().loginPage( "/security/login" ).failureUrl( "/security/login?error" ).usernameParameter( "username" ).passwordParameter( "password" )
.loginProcessingUrl("/j_spring_valuehere")
.and().rememberMe().rememberMeServices( persistentRememberMeServices ).key( "key" )
.and().addFilterBefore( (Filter)new CustomErrorHandlerFilter(), RememberMeAuthenticationFilter.class)
.csrf().disable();
}
}
}
日志
8075 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
8076 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/security/**'
8076 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Public object - authentication not attempted
8077 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp reached end of additional filter chain; proceeding with original chain
非常感谢任何对我可能缺失的帮助。
答案 0 :(得分:1)
尝试更改
http.authorizeRequests().antMatchers( "/api/**" ).hasRole("ROLE_USER").and().httpBasic()
.and().exceptionHandling().accessDeniedPage( "/security/api" )
到
http.antMatcher("/api/**").authorizeRequests().antMatchers( "/api/**" ).hasRole("ROLE_USER").and().httpBasic()
.and().exceptionHandling().accessDeniedPage( "/security/api" )
这将覆盖您设置的/**链。