我有一个使用spring-security的spring-boot应用程序。安全配置分为多个WebSecurityConfigurerAdapter实例。
我有一个配置注销的地方:
@Override
protected void configure(HttpSecurity http) throws Exception {
// configure logout
http
.logout()
.logoutUrl("/logout")
.invalidateHttpSession(true)
.addLogoutHandler((request, response, authentication) -> {
System.out.println("logged out 1!");
})
.permitAll();
// ... more security configuration, e.g. login, CSRF, rememberme
}
除了添加另一个LogoutHandler之外,还有另一个WebSecurityConfigurerAdapter,除了添加另一个LogoutHandler之外我几乎什么都不做:
@Override
protected void configure(HttpSecurity http) throws Exception {
// configure logout
http
.logout()
.logoutUrl("/logout")
.addLogoutHandler((request, response, authentication) -> {
System.out.println("logged out 2!");
});
}
调用两个configure()方法。但是,如果我注销,则只调用第一个LogoutHandler。更改两个配置的@Order不会更改结果。
我的配置中缺少什么?
答案 0 :(得分:7)
当您创建多个安全配置时,Spring Boot将为每个配置创建一个单独的SecurityFilterChain。见WebSecurity:
@Override
protected Filter performBuild() throws Exception {
// ...
for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : securityFilterChainBuilders) {
securityFilterChains.add(securityFilterChainBuilder.build());
}
// ...
}
当应用程序获得注销请求时,FilterChainProxy将只返回一个SecurityFilterChain:
private List<Filter> getFilters(HttpServletRequest request) {
for (SecurityFilterChain chain : filterChains) {
// Only the first chain that matches logout request will be used:
if (chain.matches(request)) {
return chain.getFilters();
}
}
return null;
}
如果您确实需要模块化安全配置,我建议为注销和其他领域创建单独的安全配置。您可以在不同的配置类中将注销处理程序定义为bean(使用@Bean注释),并在注销配置中收集这些处理程序:
<强> WebSecurityLogoutConfiguration.java
@Configuration
@Order(99)
public class WebSecurityLogoutConfiguration extends WebSecurityConfigurerAdapter {
// ALL YOUR LOGOUT HANDLERS WILL BE IN THIS LIST
@Autowired
private List<LogoutHandler> logoutHandlers;
@Override
protected void configure(HttpSecurity http) throws Exception {
// configure only logout
http
.logout()
.logoutUrl("/logout")
.invalidateHttpSession(true)
// USE CompositeLogoutHandler
.addLogoutHandler(new CompositeLogoutHandler(logoutHandlers));
http.csrf().disable(); // for demo purposes
}
}
<强> WebSecurity1Configuration.java
@Configuration
@Order(101)
public class WebSecurity1Configuration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// ... more security configuration, e.g. login, CSRF, rememberme
http.authorizeRequests()
.antMatchers("/secured/**")
.authenticated();
}
// LOGOUT HANDLER 1
@Bean
public LogoutHandler logoutHandler1() {
return (request, response, authentication) -> {
System.out.println("logged out 1!");
};
}
}
<强> WebSecurity2Configuration.java
@Configuration
@Order(102)
public class WebSecurity2Configuration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/**")
.permitAll();
}
// LOGOUT HANDLER 2
@Bean
public LogoutHandler logoutHandler2() {
return (request, response, authentication) -> {
System.out.println("logged out 2!");
};
}
}
答案 1 :(得分:0)
您应该使用单个/logout操作终结点上的CompositeLogoutHandler来解决此问题。
您仍然可以根据需要保留两个WebSecurityConfigurerAdapter,但是您将把两个LogoutHandler的注销功能合并为一个复合操作:
new CompositeLogoutHandler(loggedOutHandler1, loggedOutHandler2);
答案 2 :(得分:0)
关键点是你应该创建AuthenticationManger的单独实例。