在我的应用程序中,我需要基于不同的URL实现不同的spring证券。对于/ app / healthcheck,需要忽略安全性;对于/ app / manage,需要具有基本身份验证;对于其他所有/ api / **,则需要JWT令牌身份验证。实施方式如下
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Bean
WebSecurityConfigurerAdapter defaultConfig() {
return new WebSecurityConfigurerAdapter() {
@Override
protected void configure(HttpSecurity http) throws Exception {
configureHttpSecurity(http.csrf().disable().headers().frameOptions().disable().and(),
authenticationManager());
}
};
}
void configureHttpSecurity(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {
http.authorizeRequests().antMatchers("/app/healthcheck").permitAll().anyRequest()
.authenticated().and()
.addFilterBefore(new MyJWTAuthenticationFilter(authenticationManager),
UsernamePasswordAuthenticationFilter.class)
.logout().permitAll();
}
@Bean
public UserAuthenticationProvider springAuthenticationProvider() {
return new UserAuthenticationProvider();
}
}
@Configuration
@EnableWebSecurity
@Order(Ordered.HIGHEST_PRECEDENCE)
public class BasicSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.cors();
http.antMatcher("/app/manage")
.authorizeRequests().anyRequest().authenticated()
.and()
.httpBasic();
}
}
in application.yml added
spring:
profiles: dev
security:
user:
name: ${admin}
password: ${password}
当我运行应用程序时,/ app / healthcheck忽略安全性,其余所有请求进行JWT身份验证。但是/ app / manage也会触发JWT身份验证,而不是基本身份验证。如果我评论令牌身份验证,那么基本工作正常。
春季安全新手,请告诉我我想念的是什么。
谢谢。