目前,我试图找出如何阻止每个请求,除了一些使用基本身份验证保护的路由。
这些路由的信息存储在我的实用程序对象List的{{1}}中(从某个配置文件中读取),其中包含基本身份验证的用户名/密码,需要角色和受保护的URL -pattern。
到目前为止,我能够配置SecurityConstraintInfo,但我尝试配置AuthenticationManagerBuilder - 部分失败了。
例如,通过用户a 给我打电话,其中用户b 的限制路径为http状态代码200.使用HttpSecurity进行示例调用:
curl -v --user a:a http://localhost:8080/b/xxx
我想要走的路是5.9 Multiple HttpSecurity中提到Creating multiple HTTP sections in Spring Security Java Config。
如何动态注册http部分?它应该是可行的,因为通过XML的Spring Security配置必须以某种方式动态配置cURL元素。
安全-配置:
<http>控制器:
package com.example.demo;
import java.util.Arrays;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final List<SecurityConstraintInfo> securityConstraints = Arrays
.asList(new SecurityConstraintInfo("a", "a", "a", "a/**"), new SecurityConstraintInfo("b", "b", "b", "b/**"));
@Override
protected void configure(final HttpSecurity http) throws Exception {
for (final SecurityConstraintInfo securityConstraintInfo : securityConstraints) {
http.authorizeRequests() //
.antMatchers(securityConstraintInfo.getUrlPattern()) //
.hasRole(securityConstraintInfo.getRolename()) //
.and() //
.httpBasic();
}
http.authorizeRequests().anyRequest().authenticated();
}
@Autowired
public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception {
final InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> inMemoryAuthentication =
auth.inMemoryAuthentication();
inMemoryAuthentication.passwordEncoder(passwordEncoder());
for (final SecurityConstraintInfo securityConstraintInfo : securityConstraints) {
inMemoryAuthentication.withUser(securityConstraintInfo.getUsername())
.password(securityConstraintInfo.getPassword()).roles(securityConstraintInfo.getRolename());
}
}
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
public class SecurityConstraintInfo {
private String username;
private String password;
private String rolename;
private String urlPattern;
public SecurityConstraintInfo(final String username, final String password, final String rolename,
final String urlPattern) {
this.username = username;
this.password = password;
this.rolename = rolename;
this.urlPattern = urlPattern;
}
public String getUsername() {
return username;
}
public void setUsername(final String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(final String password) {
this.password = password;
}
public String getRolename() {
return rolename;
}
public void setRolename(final String rolename) {
this.rolename = rolename;
}
public String getUrlPattern() {
return urlPattern;
}
public void setUrlPattern(final String urlPattern) {
this.urlPattern = urlPattern;
}
}
}
启动:
package com.example.demo;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class DemoController {
@GetMapping("a/*")
public String callA() {
return "a";
}
@GetMapping("b/*")
public String callB() {
return "b";
}
}
的pom.xml:
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
}