将多个securiy http配置从xml转换为java配置

时间:2016-11-01 11:55:32

标签: java spring spring-boot cas spring-java-config

我的xml中有多个security:http配置,其中包含不同的入口点-ref。我正在尝试将此配置转换为java配置。

我已经读过这可以使用多个扩展WebSecurityConfigurerAdapter的子类。

我应该如何为java config中的每一个配置入口点-ref?

follwing是xml配置。

<security:http request-matcher-ref="preReqMatcher" auto-config="false" use-expressions="false" entry-point-    ref="preAuthenticatedProcessingFilterEntryPoint">
    <custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" />
    <custom-filter after="CAS_FILTER" ref="attrFilter" />
    <intercept-url pattern="/**" access="ROLE_USER" />  
    <csrf disabled="true"/> 
</security:http> 

<security:http auto-config="true" entry-point-ref="casEntryPoint" use-expressions="false" disable-url-rewriting="false">
    <custom-filter position="CAS_FILTER" ref="casFilter" />
    <custom-filter after="CAS_FILTER" ref="attrFilter" />
    <intercept-url pattern="/**" access="ROLE_USER" />
    <custom-filter ref="testFilter" before="CAS_FILTER" />
    <csrf disabled="true"/>
</security:http>

2 个答案:

答案 0 :(得分:0)

使用Java类配置安全性首先要为@Web部件(请求)和org.springframework.security.config提供@Configuration类子类org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter。 “global”部分(服务层)的annotation.method.configuration.GlobalMethodSecurityConfiguration。

在WebSecurityConfigurerAdapter的子类中,您必须覆盖一些“configure(...)”方法:(只是示例......)

public void configure(final WebSecurity web) throws Exception {
            //  @formatter:off
            web.ignoring()
                .antMatchers("/*.html","/*.ico","/css/**","/html/**","/i18n/**","/img/**","/js/**","/lib/**");
            //  @formatter:on
}

protected void configure(final HttpSecurity http) throws Exception {

http.headers()
                .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
                .and()
                    .csrf().disable()
                    .addFilterAfter(jeePreAuthenticatedFilter(), AbstractPreAuthenticatedProcessingFilter.class)
                    .addFilterBefore(new BasicAuthenticationFilter(authenticationManagerBean()),
                        UsernamePasswordAuthenticationFilter.class)
                    .addFilterBefore(switchUserProcessingFilter(), SwitchUserFilter.class)
                    .authorizeRequests()
                        .antMatchers("/*.html","/*.ico","/css/**","/html/**","/i18n/**","/img/**","/js/**","/lib/**").permitAll()
                        .anyRequest().authenticated()

                .and()
                    .sessionManagement()
                    .sessionFixation().none().maximumSessions(maxSessionsPerUser)
                    .sessionRegistry(sessionRegistry)
                ;

}

protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(basicDAOAuthenticationProvider());
    auth.authenticationProvider(preauthAuthProvider());
}

在那个@Configuration类中,您应该/还可以拥有MethodSecurityMetadataSource,AccessDecisionManager,AccessDecisionVoter,...您的身份验证提供程序,...

同样的原则你的@Configuration,GlobalMethodSecurityConfiguration的子类:

protected AccessDecisionManager accessDecisionManager() {
...
}

protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
...
}

protected MethodSecurityExpressionHandler createExpressionHandler() {
    ...;
}


@Bean
public MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
...
}

答案 1 :(得分:0)

以下是我想出配置入口点的方法。

http.httpBasic().authenticationEntryPoint(preAuthenticatedProcessingFilterEntryPoint);

相关问题
最新问题