Spring Security为两个不同的URL配置两个不同的身份验证

时间:2018-07-23 06:03:33

标签: rest spring-boot spring-security

我正在开发具有Spring Security的Web应用程序,该应用程序将被Web用户和android用户使用。目前,我已经配置了WebSecurityConfigurerAdapter

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

@Autowired
private UserDetailsService userDetailsService;

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/","/about","/contact","/v1/**").permitAll()
            .antMatchers("/admin/otp").hasRole("PRE_AUTH_USER")
            .antMatchers("/admin/**").hasAnyRole("SuperAdmin","BackOffice")
            .antMatchers("/admin/dashboard/**").hasAnyRole("BankAdmin","CallAdmin")
            //.antMatchers("/api/**").hasRole("FieldPerson")
            .anyRequest().authenticated();

    http.formLogin()
            .loginPage("/admin/login")
            .permitAll()
            .defaultSuccessUrl("/admin/otp", true)
            .and()
        .logout()
            .logoutSuccessUrl("/admin/login")
            .permitAll();

    http.exceptionHandling().accessDeniedPage("/error/403");
}

@Bean
public DaoAuthenticationProvider authProvider(){
    DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
    authProvider.setUserDetailsService(userDetailsService);
    authProvider.setPasswordEncoder(new BCryptPasswordEncoder(12));
    return authProvider;
}

@Autowired
public void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService);
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception{
    auth.userDetailsService(userDetailsService).and().authenticationProvider(authProvider());
}
}

这很完美,但是我想在没有任何otp验证屏幕的情况下使用相同的配置进行REST api验证(基本上是2FA,适用于网络用户的GOOGLE Authenticator)。所以我只想为android用户配置数据库身份验证。我尝试了this解决方案,但因发布user is not anonymous而失败。基本上,我只想配置每当用户点击/api/**时就应该对其进行授权。

0 个答案:

没有答案