Spring Boot中的多个Web安全配置类过滤器调用

时间:2017-01-08 17:42:47

标签: java spring rest spring-boot spring-security

我在Spring boot 1.3.6项目中有一个SecurityConfig类,我在HttpSecurity上应用了一个过滤器。

如下所示,

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Order(1)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Inject
    private TokenProvider tokenProvider;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
            .disable()
            .headers()
            .frameOptions()
            .disable()
        .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
            .authorizeRequests()

            .antMatchers("/api/logs/**").hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/api/**").permitAll())
        .and()
            .apply(securityConfigurerAdapter());

    }

    private JWTConfig securityConfigurerAdapter() {
        return new JWTConfig(tokenProvider);
    }   
}


public class JWTConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {

    private TokenProvider tokenProvider;

    public JWTConfig(TokenProvider tokenProvider) {
        this.tokenProvider = tokenProvider;
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        JWTFilter customFilter = new JWTFilter(tokenProvider);
        http.addFilterBefore(customFilter, UsernamePasswordAuthenticationFilter.class);
    }
}

现在我添加了一个外部依赖jar,它在自己的SecurityConfig中有类似的Filter注册。

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {


    @Override
    public void configure(final WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers(HttpMethod.GET, "/health").antMatchers(HttpMethod.OPTIONS, "/**");
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.addFilterBefore(getTokenAuthenticationFilter(), BasicAuthenticationFilter.class);
        http.addFilterAfter(getCorrelationIdFilter(), getTokenAuthenticationFilter.class);
        http.csrf().disable().authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll();
    }

    private TokenAuthenticationFilter getTokenAuthenticationFilter() {
        return new TokenAuthenticationFilter();

    }
}

我可以看到外部jar的SecurityConfig类首先命中并注册Filters,然后在应用程序启动时调用项目的SecurityConfig get invoke并注册JWTFilter。但是在后面的过滤器注册之后,当我检查HttpSecurity过滤器字段时,它只包含JWTFilter。

在这些过滤器使用不同的SecurityConfigs注册后,是否可以将所有过滤器注册到相同的HttpSecurity过滤器中?

0 个答案:

没有答案
相关问题
最新问题