因此,在我迁移到javaconfig样式的spring安全性时,我遇到了关于自定义securityMetadataSource的问题。它似乎没有自动获取,我不知道如何将它包含在http安全向导中。由于我们有多个站点配置可以具有各种安全配置,因此我们将安全性保存在单独的站点特定配置类
中 @Bean
DefaultFilterInvocationSecurityMetadataSource securityMetadataSource(){
SecurityExpressionHandler<FilterInvocation> securityExpressionHandler = new DefaultWebSecurityExpressionHandler();
LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> map = new LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>();
processSecurityPath(map,"/signin/**","permitAll");
processSecurityPath(map,"/redirect/**","permitAll");
processSecurityPath(map,"/*/*/account/g_product/add*/**" ,"hasAnyRole('ROLE_ADMIN','ROLE_EDITOR')");
processSecurityPath(map,"/**" ,"permitAll");
ExpressionBasedFilterInvocationSecurityMetadataSource ms = new ExpressionBasedFilterInvocationSecurityMetadataSource(map, securityExpressionHandler);
return ms;
}
private void processSecurityPath(LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> map, String path, String securityRule){
map.put(new AntPathRequestMatcher(path), Arrays.<ConfigAttribute>asList(new SecurityConfig(securityRule)));
}
这是主要的安全配置
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilter(myFilterSecurityInterceptor)
.addFilterBefore(authenticationFilter(), UsernamePasswordAuthenticationFilter.class)
.exceptionHandling().accessDeniedHandler(new MyAccessDeniedHandler())
.and()
.authorizeRequests()
// .anyRequest().authenticated() // this should be handled by the DefaultFilterInvocationSecurityMetadataSource that is part of the project specific config
[...]