Spring Security Java配置和多个http入口点

时间:2019-01-11 04:19:55

标签: spring-security

^ _ ^

我正在同时尝试确保RESTFull API和Web App的Spring安全性,问题是当我发送Rest请求时,我收到HTML页面而不是JSON响应,这是我的配置,请提供任何帮助我并检查配置

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

import com.example.jjjj.faces.MySimpleUrlAuthenticationSuccessHandler;
import com.example.jjjj.security.jwt.JwtAuthEntryPoint;
import com.example.jjjj.security.services.UserDetailsServiceImpl;

@EnableWebSecurity
public class MultiHttpSecurityConfig {



    @Autowired
    UserDetailsServiceImpl userDetailsService;



    @Bean
    public static AuthenticationSuccessHandler myAuthenticationSuccessHandler(){
        return new MySimpleUrlAuthenticationSuccessHandler();
    }


    @Configuration
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        private JwtAuthEntryPoint unauthorizedHandler;


        protected void configure(HttpSecurity http) throws Exception {





            http.cors().and().csrf().disable().
            authorizeRequests()
            .antMatchers("/api/auth/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);




//          http
//              .antMatcher("/api/**")                               
//              .authorizeRequests()
//                  .anyRequest().hasRole("ADMIN")
//                  .and()
//              .httpBasic();
        }
    }

    @Configuration  
    @Order(1)                                                        

    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {


            http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN");                                      
            http.authorizeRequests().antMatchers("/company/**").hasRole("COMPANY_DATA_ENTRY_AGENT");                                      

            /*
            http.cors().and().csrf().disable().
            authorizeRequests()
            .antMatchers("/api/auth/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
            */

            // require all requests to be authenticated except for the resources
            http.authorizeRequests().antMatchers("/javax.faces.resource/**").permitAll().anyRequest().authenticated();

            //http.authorizeRequests().antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')");




            //http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);


            // login
            http.formLogin().loginPage("/login.xhtml").successHandler(myAuthenticationSuccessHandler()).permitAll().failureUrl("/login.xhtml?error=true");
            // logout
            http.logout().logoutSuccessUrl("/login.xhtml");

            // not needed as JSF 2.2 is implicitly protected against CSRF
            http.csrf().disable();






//          http
//              .authorizeRequests()
//                  .anyRequest().authenticated()
//                  .and()
//              .formLogin();
        }
    }
}

API的配置可以单独很好地工作,并且与Web应用程序的配置相同,但是当我希望它们都可以像上面的配置一样工作时,只有其中一个可以使用Order(1)

请帮助!!! 谢谢。

1 个答案:

答案 0 :(得分:1)

你好,大家好!

只需解决问题

这是正确的配置^ _ ^ 

@EnableWebSecurity
@EnableGlobalMethodSecurity(
        prePostEnabled = true
)
public class MultiHttpSecurityConfig {

    @Configuration
    @Order
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {



        @Autowired
        UserDetailsServiceImpl userDetailsService;


        @Autowired
        private JwtAuthEntryPoint unauthorizedHandler;



        @Override
        public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
            authenticationManagerBuilder
                    .userDetailsService(userDetailsService)
                    .passwordEncoder(passwordEncoder());
        }

        @Bean
        @Override
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }

        @Bean
        public PasswordEncoder passwordEncoder() {
            return new BCryptPasswordEncoder();
        }


        protected void configure(HttpSecurity http) throws Exception {

            http.cors().and().csrf().disable().
            authorizeRequests()
            .antMatchers("/api/auth/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

            // require all requests to be authenticated except for the resources
            http.authorizeRequests().antMatchers("/javax.faces.resource/**").permitAll().anyRequest().authenticated();




        }
    }

    @Configuration  
    @Order(1)                                                        
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {



        @Autowired
        UserDetailsServiceImpl userDetailsService;

        @Override
        public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
            authenticationManagerBuilder
                    .userDetailsService(userDetailsService)
                    .passwordEncoder(passwordEncoder());
        }

        @Bean
        @Override
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }

        @Bean
        public PasswordEncoder passwordEncoder() {
            return new BCryptPasswordEncoder();
        }



        @Bean
        public AuthenticationSuccessHandler myAuthenticationSuccessHandler(){
            return new MySimpleUrlAuthenticationSuccessHandler();
        }



        @Override
        protected void configure(HttpSecurity http) throws Exception {

            // not needed as JSF 2.2 is implicitly protected against CSRF
            http.csrf().disable();

            http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN");                                      
            http.authorizeRequests().antMatchers("/company/**").hasRole("COMPANY_DATA_ENTRY_AGENT");                                      



            //http.authorizeRequests().antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')");
            //http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);


            // login
            http.formLogin().loginPage("/login.xhtml").successHandler(myAuthenticationSuccessHandler()).permitAll().failureUrl("/login.xhtml?error=true");
            // logout
            http.logout().logoutSuccessUrl("/login.xhtml");


        }
    }
}

解决方案是此行必须是最后一个antMatch ^ _ ^ 

http.authorizeRequests().antMatchers("/javax.faces.resource/**").permitAll().anyRequest().authenticated();

非常感谢你们 祝所有^ _ ^好运

相关问题
最新问题