我正在开发具有Spring Security的Web应用程序,该应用程序将被Web用户和android用户使用。目前,我已经配置了WebSecurityConfigurerAdapter
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/","/about","/contact","/v1/**").permitAll()
.antMatchers("/admin/otp").hasRole("PRE_AUTH_USER")
.antMatchers("/admin/**").hasAnyRole("SuperAdmin","BackOffice")
.antMatchers("/admin/dashboard/**").hasAnyRole("BankAdmin","CallAdmin")
//.antMatchers("/api/**").hasRole("FieldPerson")
.anyRequest().authenticated();
http.formLogin()
.loginPage("/admin/login")
.permitAll()
.defaultSuccessUrl("/admin/otp", true)
.and()
.logout()
.logoutSuccessUrl("/admin/login")
.permitAll();
http.exceptionHandling().accessDeniedPage("/error/403");
}
@Bean
public DaoAuthenticationProvider authProvider(){
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(userDetailsService);
authProvider.setPasswordEncoder(new BCryptPasswordEncoder(12));
return authProvider;
}
@Autowired
public void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception{
auth.userDetailsService(userDetailsService).and().authenticationProvider(authProvider());
}
}
这很完美,但是我想在没有任何otp验证屏幕的情况下使用相同的配置进行REST api验证(基本上是2FA,适用于网络用户的GOOGLE Authenticator)。所以我只想为android用户配置数据库身份验证。我尝试了this解决方案,但因发布user is not anonymous
而失败。基本上,我只想配置每当用户点击/api/**
时就应该对其进行授权。