带注释的Spring安全性:分隔的路径(乘以入口点)

时间:2016-08-16 14:55:48

标签: java spring spring-mvc spring-security

我正在使用带有注释和Spring Security的Spring Boot。

我需要实现两种不同的身份验证:

  1. ProviderApiAuthenticationProvider 用于“/ providerrpc”和“/ api /(system | provider | drm)/”
  2. TestAuthFilter(自定义身份验证程序,现在为空),表示“/ test / **”

    3. 两者的当前配置 URL的应用程序请求httpBasic身份验证和TestAuthFilter :: doFilter()也在两个URL上调用。 那么,怎么了?

    WebSecurityConfig.java: 

    @Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private final ProviderApiAuthenticationProvider providerApiAuthenticationProvider;

    private final TestAuthFilter testAuthFilter;

    @Autowired
    public WebSecurityConfig(TestAuthFilter testAuthFilter, ProviderApiAuthenticationProvider providerApiAuthenticationProvider) {
        this.testAuthFilter = testAuthFilter;
        this.providerApiAuthenticationProvider = providerApiAuthenticationProvider;
    }


    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(providerApiAuthenticationProvider);
    }

    @SuppressWarnings("SpellCheckingInspection")
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authenticationProvider(providerApiAuthenticationProvider)
            .authorizeRequests()
                .regexMatchers(
                        "^/providerrpc/",
                        "^/api/(system|provider|drm)/"
                )
                .hasAuthority(Role.ROLE_PROVIDER_API.getAuthority())
                .and()
                .httpBasic()
                .realmName("Provider API")
        .and()
            .addFilterBefore(testAuthFilter, BasicAuthenticationFilter.class)
            .authorizeRequests()
                .antMatchers(
                        "/test/**"
                )
                .authenticated()
        .anyRequest()
        .permitAll()
        ;
    }
}

    TestAuthFilter.java: 

    @Component
public class TestAuthFilter extends GenericFilterBean {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // TODO: Later implement via SecurityContextHolder.getContext().setAuthentication();

        chain.doFilter(request,response);
    }
}

1 个答案:

答案 0 :(得分:0)

我找到了解决方案,它在官方文档中提供了两个独立的身份验证入口点:Spring Security: 5.7 Multiple HttpSecurity

以下是解决方案:

<强> MultiHttpSecurityConfig.java 

@EnableWebSecurity
public class MultiHttpSecurityConfig {

    @Configuration
    @Order(1)
    public static class RestApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/api/rest/**")
                .authorizeRequests()
                .anyRequest().hasAuthority(Role.ROLE_USER.getAuthority())
                .and()
                .httpBasic()
                .realmName("Rest API")
                .and().csrf().disable()
                ;
        }
    }

    @Configuration
    @Order(2)
    public static class TestWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/test**")
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .httpBasic()
                .realmName("Test zone");
        }
    }
}
相关问题
最新问题