我们正在使用Thymeleaf模板开发一个标准的Spring Boot Web应用程序,但是在/api/**处有一个通过AJAX调用的API。
我们正在为应用程序和API使用Spring Security的标准基于cookie的表单身份验证。对于应用程序,我们希望Spring Security以默认方式运行,对于API,我们希望为返回AuthenticationSuccessHandler等提供自定义200 OK等,而不是重定向到 success < / em>或失败网址。
我无法弄清楚如何使用Java配置来配置它。在configure方法中,我尝试将http配置两次,如下所示,但它似乎不起作用:
// For the API
http.antMatcher("/api/**")
.formLogin()
.successHandler(authenticationSuccessHandler)
.failureHandler(authenticationFailureHandler())
.and()
.logout()
.logoutSuccessHandler(logoutSuccessHandler)
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.and()
.exceptionHandling()
.authenticationEntryPoint(new Http403ForbiddenEntryPoint())
.and()
.rememberMe()
.key(properties.getRememberMeKey())
.rememberMeServices(rememberMeServices())
.and()
.csrf()
.csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(new LemonCsrfFilter(), CsrfFilter.class)
.addFilterAfter(switchUserFilter(), FilterSecurityInterceptor.class)
.authorizeRequests()
.antMatchers("/login/impersonate*").hasRole(GOOD_ADMIN)
.antMatchers("/logout/impersonate*").authenticated()
.antMatchers("/**").permitAll();
// For the application pages
http
.authorizeRequests()
.antMatchers("/login/impersonate*").hasRole(GOOD_ADMIN)
.antMatchers("/logout/impersonate*").authenticated()
.anyRequest().permitAll()
.and()
.formLogin()
.loginPage("/login").permitAll()
.and()
.logout().permitAll()
.and()
.rememberMe()
.key(properties.getRememberMeKey())
.rememberMeServices(rememberMeServices())
.and()
.csrf()
.csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(new LemonCsrfFilter(), CsrfFilter.class)
.addFilterAfter(switchUserFilter(), FilterSecurityInterceptor.class);