我尝试以不同的方式保护我的应用程序。 1:应通过oauth-token保护api-part(/ api / **) 第二:其他部分应使用用户名和密码通过常规形式登录进行保护。
使用WebSecurityConfig,我可以保护api部分。但是对于普通的Route / user,将显示表单登录,但是在提交登录凭证后什么也没有发生。
我希望您能给我一个提示,我在做什么错了?
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class WebSecurityConfig {
@Configuration
@Order(1)
@EnableResourceServer
public static class ApiWebSecurityConfig extends ResourceServerConfigurerAdapter {
@Value("${security.signing-key}")
private String signingKey;
@Value("${security.encoding-strength}")
private Integer encodingStrength;
@Value("${security.security-realm}")
private String securityRealm;
@Value("${security.jwt.resource-ids}")
private String resourceIds;
@Autowired
private ResourceServerTokenServices tokenServices;
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**").authorizeRequests()
.antMatchers("/oauth/token").permitAll();
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(resourceIds).tokenServices(tokenServices);
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(signingKey);
return converter;
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
}
}
@Configuration
@Order(2)
public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String LOGIN_PROCESSING_URL = "/login";
private static final String LOGIN_FAILURE_URL = "/login?error";
private static final String LOGIN_URL = "/login";
private static final String LOGOUT_SUCCESS_URL = "/logout";
private static final String LOGIN_SUCCESS_URL = "/user";
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http .antMatcher("/user").requestCache().requestCache(new
CustomRequestCache())
// Restrict access to our application.
.and().authorizeRequests()
// Allow all flow internal requests.
.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
// Allow all requests by logged in users.
.anyRequest().hasAnyAuthority(Role.getAllRoles())
// Configure the login page.
.and().formLogin().loginPage(LOGIN_URL).permitAll().loginProcessingUrl(
LOGIN_PROCESSING_URL) .failureUrl(LOGIN_FAILURE_URL)
// Register the success handler that redirects users to the page they last
//tried // to access
.successHandler(new
SavedRequestAwareAuthenticationSuccessHandler())
.defaultSuccessUrl(LOGIN_SUCCESS_URL,true)
// Configure logout
.and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(
//icons and images...
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
public User currentUser(UserRepository userRepository) {
return userRepository.findByEmailIgnoreCase(SecurityUtils.getUsername());
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
super.configure(auth);
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
// auth.userDetailsService(userDetailsService);
}
@Bean()
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
}