伙计们,我的问题是我正在尝试配置一个实现多重提供程序和过滤器的Spring安全层。但是,我这样做的方式不起作用。
我有两个提供商,一个用于登录/密码登录身份验证,另一个用于伙伴密钥身份验证。两家提供商都在使用JWT令牌生成。
GROUP BY u.id, u.first_name, u.last_name
=登录名/ senha LoginAuthenticationProvider =合作伙伴密钥对于这些规则,我有两组导航规则,对于巫婆,我需要指定一个特定的过滤器,以验证令牌。
PartnerTokenAuthenticationProvider =包含用户/通过过滤器规则TokenProvider =包含伙伴过滤器规则我的配置如下:
PartnerTokenProvider我想做的是
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
public void initialize(AuthenticationManagerBuilder builder, DataSource dataSource) throws Exception {
builder.jdbcAuthentication().dataSource(dataSource);
}
@Configuration
@Order(1)
@EnableConfigurationProperties(PartnerSecurityProperties.class)
public static class ApiPartnerWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private PartnerTokenAuthenticationProvider partnerAuthProvider;
@Autowired
private PartnerTokenProvider partnerTokenProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(POST, "/partner/generate_token").permitAll()
.antMatchers(OPTIONS, "/partner/**").permitAll()
.antMatchers("/partner/**").authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable()
.headers().frameOptions().disable()
.and()
.apply(securityConfigurerAdapter());
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(partnerAuthProvider);
}
private JWTConfigurer securityConfigurerAdapter() {
return new JWTConfigurer(partnerTokenProvider);
}
}
@Configuration
@Order(2)
@EnableConfigurationProperties(SecurityProperties.class)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private UserDetailsService userDetailsService;
@Autowired
public PasswordEncoder passwordEncoder;
@Autowired
private LoginAuthenticationProvider authProvider;
@Autowired
private TokenProvider tokenProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/manage/**").permitAll()
.antMatchers("/h2-console/**").permitAll()
.antMatchers(POST, "/api/login").permitAll()
.antMatchers(OPTIONS, "/api/**").permitAll()
.antMatchers("/api/**").authenticated()
.anyRequest().authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable()
.headers().frameOptions().disable()
.and()
.apply(securityConfigurerAdapter());
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
}
private JWTConfigurer securityConfigurerAdapter() {
return new JWTConfigurer(tokenProvider);
}
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
}
提供程序和PartnerTokenAuthenticationProvider过滤器。和
PartnerTokenProvider提供程序和LoginAuthenticationProvider过滤器。我尝试过的一些配置:
以这种方式,在请求期间未找到任何提供程序,当我尝试从配置1(Order(1))访问任何url时,未找到有效的提供程序,它应该是TokenProvider。
而且,如果我更改配置以将两个提供程序都置于父配置中,那么它就可以正常工作。
PartnerTokenAuthenticationProvider但另一方面,对第2组(Order(2))中的url的任何调用最终都将使用Order(1)@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private PartnerTokenAuthenticationProvider partnerAuthProvider;
@Autowired
private LoginAuthenticationProvider authProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
auth.authenticationProvider(partnerAuthProvider);
}
@Autowired
public void initialize(AuthenticationManagerBuilder builder, DataSource dataSource) throws Exception {
builder.jdbcAuthentication().dataSource(dataSource);
}
@Configuration
@Order(1)
@EnableConfigurationProperties(PartnerSecurityProperties.class)
public static class ApiPartnerWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private PartnerTokenProvider partnerTokenProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(POST, "/partner/generate_token").permitAll()
.antMatchers(OPTIONS, "/partner/**").permitAll()
.antMatchers("/partner/**").authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable()
.headers().frameOptions().disable()
.and()
.apply(securityConfigurerAdapter());
}
private JWTConfigurer securityConfigurerAdapter() {
return new JWTConfigurer(partnerTokenProvider);
}
}
@Configuration
@Order(2)
@EnableConfigurationProperties(SecurityProperties.class)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private UserDetailsService userDetailsService;
@Autowired
public PasswordEncoder passwordEncoder;
@Autowired
private TokenProvider tokenProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/manage/**").permitAll()
.antMatchers("/h2-console/**").permitAll()
.antMatchers(POST, "/api/login").permitAll()
.antMatchers(OPTIONS, "/api/**").permitAll()
.antMatchers("/api/**").authenticated()
.anyRequest().authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable()
.headers().frameOptions().disable()
.and()
.apply(securityConfigurerAdapter());
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
}
private JWTConfigurer securityConfigurerAdapter() {
return new JWTConfigurer(tokenProvider);
}
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
}
中的过滤器而不是对(PartnerTokenProvider)中的过滤器的调用
我正在努力工作,但到目前为止没有任何事情……我将很高兴获得任何帮助。