我正在处理的应用程序中的Spring Bean方法有两种方式调用:
通过AngularJS和
Spring MVC控制器(表单登录)或使用SOAP(基本身份验证)。
为了实现这一点,我为CXF servlet设置了以下配置:
@Configuration
public class CxfConfiguration {
@Autowired
private ApplicationContext applicationContext;
@Bean
public ServletRegistrationBean dispatcherServletSOAP() {
return new ServletRegistrationBean(new CXFServlet(), "/soap/*");
}
@Bean(name= Bus.DEFAULT_BUS_ID)
public SpringBus springBus() {
return new SpringBus();
}
@Bean
public Endpoint documentEndpoint(){
Bus bus = (Bus) applicationContext.getBean(Bus.DEFAULT_BUS_ID);
DocumentService implementor = new DocumentServiceImpl();
EndpointImpl endpoint = new EndpointImpl(bus, implementor);
endpoint.publish("/document");
return endpoint;
}
和安全配置:
@Configuration
@Order(1)
public static class SOAPSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.httpBasic()
.and()
.antMatcher("/soap/**")
.authorizeRequests()
.anyRequest()
.hasRole("USER");
}
}
@Configuration
@Order(2)
public static class HTTPSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/soap/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
}
我意识到这不是一个非常好的配置,因为在某些情况下,从浏览器或SOAP UI中,事情不会按预期工作。
我的问题是:基于这些要求实施安全性的好方法是什么?我是否正确地使用此配置?
另外,我使用的是Spring Boot 1.3.2和Apache CXF 3.1.4
答案 0 :(得分:1)
我最终得到了这个有效的配置:
@Configuration
@EnableWebSecurity
public class MultiHttpSecurityConfig {
@Configuration
@Order(1)
public static class SOAPWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().ignoringAntMatchers("/soap/**")
.and()
.antMatcher("/soap/**")
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().requestCache().disable();
}
}
@Configuration
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login").permitAll()
.and()
.logout().permitAll();
}
}
}
答案 1 :(得分:0)
你应该试试这个,可能会对你有所帮助:
@Configuration
@EnableWebSecurity
@Profile("container")
public class SOAPSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationProvider authenticationProvider;
@Autowired
private AuthenticationProvider authenticationProviderDB;
@Override
@Order(1)
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
@Order(2)
protected void ConfigureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProviderDB);
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/scripts/**","/styles/**","/images/**","/error/**");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/rest/**").authenticated()
.antMatchers("/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(
HttpServletRequest request,
HttpServletResponse response,
Authentication a) throws IOException, ServletException {
//To change body of generated methods,
response.setStatus(HttpServletResponse.SC_OK);
}
})
.failureHandler(new AuthenticationFailureHandler() {
@Override
public void onAuthenticationFailure(
HttpServletRequest request,
HttpServletResponse response,
AuthenticationException ae) throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
})
.loginProcessingUrl("/access/login")
.and()
.logout()
.logoutUrl("/access/logout")
.logoutSuccessHandler(new LogoutSuccessHandler() {
@Override
public void onLogoutSuccess(
HttpServletRequest request,
HttpServletResponse response,
Authentication a) throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_NO_CONTENT);
}
})
.invalidateHttpSession(true)
.and()
.exceptionHandling()
.authenticationEntryPoint(new Http403ForbiddenEntryPoint())
.and()
.csrf()//Disabled CSRF protection
.disable();
}
}