Spring启动和spring安全多个登录页面

时间:2016-09-19 14:41:05

标签: spring spring-security spring-boot 

@EnableWebSecurity
public class MultiHttpSecurityConfig {

@Configuration
@Order(1)
public static class App1ConfigurationAdapter extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
        .antMatchers("/my/**", "/account/**").access("hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')")
        .and().formLogin().loginPage("/login");
    }
}

@Configuration
@Order(2)
public static class App2ConfigurationAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
        .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
        .and().formLogin().loginPage("/adminlogin");
    }
}
}

这应该是两种不同的登录表单。我的问题是没有显示具有最高订单/ adminlogin的那个。我知道为什么?请帮忙。代码来自Spring boot - how to configure multiple login pages?

按照索菲亚的建议,我尝试了这个:

@Configuration
@Order(2)
public static class UserConfigurationAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .requestMatcher(new AntPathRequestMatcher("/my/**"))
        .csrf().disable()      
        .authorizeRequests().antMatchers("/my/**").access("hasRole('ROLE_USER')")
        .and().formLogin().loginPage("/login");
    }
}

@Configuration
@Order(1)
public static class AdminConfigurationAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .requestMatcher(new AntPathRequestMatcher("/admin/**"))
        .csrf().disable()      
        .authorizeRequests().antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
        .and().formLogin().loginPage("/adminlogin");
    }
}

但在两种情况下都会调用/ login

2 个答案:

答案 0 :(得分:2)

我认为您的管理员登录未激活的原因是:首先,它的优先级不高。

  

@Order定义带注释的组件的排序顺序。   该值是可选的,表示Ordered接口中定义的订单值。 较低的值具有较高的优先级。默认值为Ordered.LOWEST_PRECEDENCE,表示最低优先级(丢失到任何其他指定的订单值)。

其次,根据HttpSecurity的Javadoc:

  

HttpSecurity类似于名称空间配置中的Spring Security  XML元素。它允许为特定的http请求配置基于Web的安全性。默认情况下,它将应用于所有请求,但可以使用requestMatcher(RequestMatcher)或其他类似方法进行限制。

因此,首先配置requestMatcher,尝试限制HttpSecurity对象为您的管理页面激活:

    http
      .requestMatcher(new AntPathRequestMatcher("/admin/**"))
      .csrf().disable()      
      .authorizeRequests().antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
      .and().formLogin().loginPage("/adminlogin");

答案 1 :(得分:0)

我使用请求匹配器解决了它:

@Configuration
@EnableWebSecurity
public class AllConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    MyUserDeatailService myuserDetailsService;

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authProvider());
    }

    @Bean
    public static BCryptPasswordEncoder passwordEncoder() {

        return new BCryptPasswordEncoder(4);
    }

    @Bean
    public AuthenticationProvider authProvider() {

        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();

        provider.setUserDetailsService(myuserDetailsService);

        provider.setPasswordEncoder(passwordEncoder());
        return provider;
    }

    @Bean
    public static AuthenticationFailureHandler customAuthenticationFailureHandler() {
        return new CustomAuthenticationFailureHandler();
    }

    @Configuration
    @Order(1)
    public static class AdminSecurityConfig extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.requestMatcher(new AntPathRequestMatcher("/admin/**"))
            .csrf().disable()
            .authorizeRequests()
            .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
            .and().formLogin()
            .loginPage("/admin/adminlogin").permitAll().usernameParameter("username")
            .passwordParameter("password").defaultSuccessUrl("/admin/AdminDashBoard")
            .failureHandler(customAuthenticationFailureHandler()).and().logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/home").and()
            .exceptionHandling().accessDeniedPage("/403");
        }
    }

    @Configuration
    @Order(2)
    public static class UserSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.requestMatcher(new AntPathRequestMatcher("/user/**"))
            .csrf().disable()
            .authorizeRequests()
            .antMatchers("/user/**").access("hasRole('ROLE_USER')").and().formLogin()
            .loginPage("/user/userlogin").permitAll().usernameParameter("username")
            .passwordParameter("password").defaultSuccessUrl("/user/UserDashBoard")
            .failureHandler(customAuthenticationFailureHandler()).and().logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/").and()
            .exceptionHandling().accessDeniedPage("/403");
        }

    }
}
相关问题
最新问题