我有一个Spring boot Web应用程序,它同时提供Web内容和公开REST服务。 Web内容受SiteMinder保护,REST服务受“基本身份验证”保护。
我使用Springs安全4.2.3。我的Java代码扩展了WebSecurityConfigurerAdapter类,我的configure(HttpSecurity)方法如下:
@Override
protected void configure(HttpSecurity http) throws Exception {
RequestHeaderAuthenticationFilter siteMinderFilter = new RequestHeaderAuthenticationFilter();
siteMinderFilter.setAuthenticationManager(authenticationManager());
http
// Error page is for everyone
.authorizeRequests()
.antMatchers("/error.html")
.permitAll()
.anyRequest()
.anonymous()
// Basic Auth for our REST services
.and()
.authorizeRequests()
.antMatchers("/services/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.httpBasic()
.authenticationEntryPoint(authenticationEntryPoint)
// Site-Minder protection for the web content
.and()
.addFilter(siteMinderFilter)
.authorizeRequests()
.antMatchers("/**").permitAll()
.anyRequest().hasRole(ApplicationConstants.SITE_MINDER_AUTHORITY);
http.addFilterAfter(new CustomFilter(), BasicAuthenticationFilter.class);
}
我的配置有问题吗?我的配置是否创建三个单独的过滤器?也许我的问题应该是,如何创建三个过滤器?
当我尝试使用PostMan /“基本身份验证”调用REST服务时,出现错误消息:
org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException: SM_USER header not found in request.
我希望该服务被调用,而是触发SiteMinder过滤器。