Question

我正在处理的应用程序中的Spring Bean方法有两种方式调用：
通过AngularJS和
Spring MVC控制器（表单登录）或使用SOAP（基本身份验证）。

为了实现这一点，我为CXF servlet设置了以下配置：

@Configuration
public class CxfConfiguration {

  @Autowired
  private ApplicationContext applicationContext;

  @Bean
  public ServletRegistrationBean dispatcherServletSOAP() {
     return new ServletRegistrationBean(new CXFServlet(), "/soap/*");
  }

  @Bean(name= Bus.DEFAULT_BUS_ID)
  public SpringBus springBus() {
      return new SpringBus();
  }

  @Bean
  public Endpoint documentEndpoint(){
      Bus bus = (Bus) applicationContext.getBean(Bus.DEFAULT_BUS_ID);
      DocumentService implementor = new DocumentServiceImpl();
      EndpointImpl endpoint = new EndpointImpl(bus, implementor);
      endpoint.publish("/document");

        return endpoint;
     }

和安全配置：

@Configuration
@Order(1)
public static class SOAPSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
   http
           .csrf().disable()
           .httpBasic()
           .and()
           .antMatcher("/soap/**")
           .authorizeRequests()
           .anyRequest()
           .hasRole("USER");
  }
}

@Configuration
@Order(2)
public static class HTTPSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
           .authorizeRequests()
           .antMatchers("/soap/**").permitAll()
           .anyRequest().authenticated()
           .and()
           .formLogin()
           .loginPage("/login")
           .permitAll()
           .and()
           .logout()
           .permitAll();
  }
}

我意识到这不是一个非常好的配置，因为在某些情况下，从浏览器或SOAP UI中，事情不会按预期工作。

我的问题是：基于这些要求实施安全性的好方法是什么？我是否正确地使用此配置？

另外，我使用的是Spring Boot 1.3.2和Apache CXF 3.1.4

Answer 1

我最终得到了这个有效的配置：

    @Configuration
    @EnableWebSecurity
    public class MultiHttpSecurityConfig {
        @Configuration
        @Order(1)
        public static class SOAPWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
            protected void configure(HttpSecurity http) throws Exception {
                http
                        .csrf().ignoringAntMatchers("/soap/**")
                            .and()
                        .antMatcher("/soap/**")
                        .authorizeRequests()
                            .anyRequest().authenticated()
                            .and()
                        .httpBasic()
                            .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                            .and().requestCache().disable();
            }
        }

        @Configuration
        public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

            @Override
            protected void configure(HttpSecurity http) throws Exception {
                http
                        .authorizeRequests()
                        .anyRequest().authenticated()
                        .and()
                    .formLogin()
                        .loginPage("/login").permitAll()
                        .and()
                        .logout().permitAll();
        }
    }
}

Answer 2

你应该试试这个，可能会对你有所帮助：

@Configuration
@EnableWebSecurity
@Profile("container")
public class SOAPSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private AuthenticationProvider authenticationProvider;

@Autowired
private AuthenticationProvider authenticationProviderDB;


@Override
@Order(1)

protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(authenticationProvider);
}


@Order(2)
protected void ConfigureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(authenticationProviderDB);
}

@Override
  public void configure(WebSecurity web) throws Exception {
    web
      .ignoring()
         .antMatchers("/scripts/**","/styles/**","/images/**","/error/**");
  }

@Override
public void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/rest/**").authenticated()
            .antMatchers("/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .successHandler(new AuthenticationSuccessHandler() {
                @Override
                public void onAuthenticationSuccess(
                        HttpServletRequest request,
                        HttpServletResponse response,
                        Authentication a) throws IOException, ServletException {
                            //To change body of generated methods,
                            response.setStatus(HttpServletResponse.SC_OK);
                        }
            })
            .failureHandler(new AuthenticationFailureHandler() {

                @Override
                public void onAuthenticationFailure(
                        HttpServletRequest request,
                        HttpServletResponse response,
                        AuthenticationException ae) throws IOException, ServletException {
                            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                        }
            })
            .loginProcessingUrl("/access/login")
            .and()
            .logout()
            .logoutUrl("/access/logout")                
            .logoutSuccessHandler(new LogoutSuccessHandler() {
                @Override
                public void onLogoutSuccess(
                        HttpServletRequest request, 
                        HttpServletResponse response, 
                        Authentication a) throws IOException, ServletException {
                    response.setStatus(HttpServletResponse.SC_NO_CONTENT);
                }
            })
            .invalidateHttpSession(true)
            .and()
            .exceptionHandling()
            .authenticationEntryPoint(new Http403ForbiddenEntryPoint())
            .and()
            .csrf()//Disabled CSRF protection
            .disable();
    }
}

基本身份验证和表单登录的Spring Security配置

2 个答案: