我在配置两个Spring Security适配器时遇到问题。一个将使用表单登录,另一个将是基本身份验证。问题是在通过基本身份验证成功通过身份验证后,我无法在onAuthenticationSuccess中调用CustomAuthenticationSuccessHandler方法。
以下是我的Java配置。感谢您的投入。
@EnableWebSecurity
public class MultiHttpSecurityConfig {
...
@Configuration
@Order(1)
public class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/auth/login")
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
.authenticationEntryPoint(customAuthenticationEntryPoint)
.and()
.addFilterBefore(authenticationTokenProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
@Configuration
public class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin")
.hasRole("ADMIN")
.antMatchers("/admin**")
.hasRole("ADMIN")
.antMatchers("/**")
.authenticated()
.and()
.formLogin()
.successHandler(savedRequestAwareAuthenticationSuccessHandler)
.loginPage("/login")
.permitAll()
.failureUrl("/login?error")
.loginProcessingUrl("/auth/login_check")
.usernameParameter("username")
.passwordParameter("password")
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login?logout")
.deleteCookies("JSESSIONID")
.invalidateHttpSession(true)
.and()
.exceptionHandling().accessDeniedPage("/denied")
.and()
.csrf()
.and()
.rememberMe().rememberMeServices(new PersistentTokenBasedRememberMeServices(internalSecretKey, userDetailsService, persistentTokenRepository))
.key(internalSecretKey)
.tokenValiditySeconds(1209600);
}
}
private AuthenticationTokenProcessingFilter authenticationTokenProcessingFilter(){
AuthenticationTokenProcessingFilter filter = new AuthenticationTokenProcessingFilter();
filter.setAuthenticationProvider(CustomAuthenticationProvider);
filter.setAuthenticationSuccessHandler(new CustomAuthenticationSuccessHandler());
filter.setAuthenticationFailureHandler(new CustomAuthenticationFailureHandler());
return filter;
}
}
以下是自定义过滤器的代码。
public class AuthenticationTokenProcessingFilter extends UsernamePasswordAuthenticationFilter {
...
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
System.out.println("Checking headers and parameters for authentication token...");
String token = null;
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
if (httpServletRequest.getParameter("token") != null) {
token = httpServletRequest.getParameter("token");
System.out.println("Found token '" + token + "' in request parameters");
} else if (httpServletRequest.getHeader("Authentication-token") != null) {
token = httpServletRequest.getHeader("Authentication-token");
System.out.println("Found token '" + token + "' in request headers");
}
if (token != null) {
authenticateUser(httpServletRequest, user);
}
chain.doFilter(request, response);
}
private void authenticateUser(HttpServletRequest request, UserDetails user) {
...
SecurityContext sc = securityContextProvider.getSecurityContext();
sc.setAuthentication(auth.authenticate(authentication));
}
}