我用Spring创建了一个具有Web的Web应用程序,该Web应用程序也具有支持相应Android应用程序的API。我的安全配置是:
@Configuration
@EnableWebSecurity
public class MultipleHttpSecurityConfig {
@Autowired
@Qualifier("customUserDetailsService")
UserDetailsService userDetailsService;
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
auth.authenticationProvider(authenticationProvider());
}
@Bean
public PlaintextPasswordEncoder passwordEncoder() {
return new PlaintextPasswordEncoder();
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder());
return authenticationProvider;
}
@Bean
public AuthenticationTrustResolver getAuthenticationTrustResolver() {
return new AuthenticationTrustResolverImpl();
}
@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
private static String REALM = "MY_TEST_REALM";
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().antMatcher("/api/**").authorizeRequests().antMatchers("/api/admin/**").hasRole("ADMIN").antMatchers("/api/**")
.access("hasRole('ADMIN') or hasRole('SUPERADMIN') or hasRole('TECHNICIAN') or hasRole('JUNIOR')").and().httpBasic().realmName(REALM)
.authenticationEntryPoint(getBasicAuthEntryPoint()).and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Bean
public CustomBasicAuthenticationEntryPoint getBasicAuthEntryPoint() {
return new CustomBasicAuthenticationEntryPoint();
}
}
@Configuration
@Order(2)
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Autowired
PersistentTokenRepository tokenRepository;
@Autowired
@Qualifier("customUserDetailsService")
UserDetailsService userDetailsService;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**").antMatchers("/static/**");
}
@Bean
public PersistentTokenBasedRememberMeServices getPersistentTokenBasedRememberMeServices() {
PersistentTokenBasedRememberMeServices tokenBasedservice = new PersistentTokenBasedRememberMeServices("remember-me", userDetailsService, tokenRepository);
return tokenBasedservice;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
CharacterEncodingFilter filter = new CharacterEncodingFilter();
filter.setEncoding("UTF-8");
filter.setForceEncoding(true);
http.addFilterBefore(filter, CsrfFilter.class);
http.authorizeRequests().antMatchers("/signup", "/about", "/upload/**").permitAll().anyRequest()
.access("hasRole('ADMIN') or hasRole('SUPERADMIN') or hasRole('JUNIOR') or hasRole('TECHNICIAN')").and().formLogin().loginPage("/login").permitAll();
}
}
}
我也有单独的控制器来支持android的api调用,这是我的api控制器:
@Controller
@RequestMapping("api")
public class ApiController {
@RequestMapping(value = { "/login/endpoint" }, method = RequestMethod.POST, produces = { "application/json" })
public ResponseEntity<MessageApi> apiPage(Authentication authentication) {
System.out.println(authentication.toString());
String[] userDetails = retrieveUsername();
User tempuser = userService.findUsersByUsername(userDetails[1]);
BigInteger bi = new BigInteger("0");
String userProfile = "";
String lastName = "";
String firstName = "";
if (tempuser != null) {
bi = tempuser.getUser_id();
Set<UserProfile> tUPs = tempuser.getUserProfiles();
for (UserProfile up : tUPs) {
userProfile = up.getType();
}
lastName = tempuser.getLastName();
firstName = tempuser.getFirstName();
}
return new ResponseEntity<MessageApi>(new MessageApi("OK", bi.toString(), userProfile, firstName, lastName), HttpStatus.OK);
}
“ api / endpoint / login”用于检查凭据并从Android App登录。我的问题是,大多数时候来自Android应用的api检查都是“ 401未经授权”。有时候还可以。