春季安全性:登录用户页面时,http状态为405

时间:2019-09-02 10:10:12

标签: java spring spring-boot spring-security

我使用两种不同的WebSecurityConfigurerAdapter配置重定向到admin和user之间的不同登录页面。

当用户名和密码数据发布到/ login /用户界面时,用户页获得http状态码405方法时,管理员页面工作正常

我进行了很多搜索,有人说需要禁用csrf,但是我已经禁用了它。

这是我的下面的代码

@EnableWebSecurity
public class MultiHttpSecurityConfig {

    /**
     * intercept user url
     */
    @Configuration
    @Order(1)
    public static class UserWebSecurityConfig extends WebSecurityConfigurerAdapter {
        @Autowired
        CustomAuthenticationSuccessHandler successHandler;

        @Autowired
        CustomAuthenticationFailureHandler failureHandler;

        @Autowired
        private CustomAuthenticationProvider customAuthProvider;

        @Autowired
        private CustomUserDetailsService userDetailsService;

        @Value("${my.cookie.timeout}")
        private int cookieTimeOut;


        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable();
            http.requestMatchers()
                .antMatchers("/bbb/**", "/aaa/**")
                .and()
                .authorizeRequests()
                .antMatchers("/**").hasAnyRole("USER");
            http.formLogin()
                .successHandler(successHandler)
                .failureHandler(failureHandler)
                .loginPage("/login/user").permitAll();
            http.logout().permitAll();

            http.rememberMe().key("uniqueAndSecret").tokenValiditySeconds(cookieTimeOut);
        }

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.authenticationProvider(customAuthProvider);
            auth.userDetailsService(userDetailsService);
        }
    }


    /**
     * intercept admin url
     */
    @Configuration
    public static class AdminWebSecurityConfig extends WebSecurityConfigurerAdapter {
        @Autowired
        CustomAuthenticationSuccessHandler successHandler;

        @Autowired
        CustomAuthenticationFailureHandler failureHandler;

        @Value("${my.cookie.timeout}")
        private int cookieTimeOut;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable();
            http.authorizeRequests()
                .antMatchers("/ccc/**","/dddd").hasAnyRole("ADMIN");
            http.formLogin()
                .successHandler(successHandler)
                .failureHandler(failureHandler)
                .loginPage("/login/admin").permitAll();
            http.logout().permitAll();

            http.rememberMe().key("uniqueAndSecret").tokenValiditySeconds(cookieTimeOut);
        }

        @Autowired
        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth.inMemoryAuthentication()
                .withUser("test").password("test").roles("ADMIN");
        }
    }
}

更新: 将“ / login / user”添加到用户模式后,它可以正常工作。

http.requestMatchers()
                .antMatchers("/dl/**", "/reinstall/**","/login/user/**")
                .and()
                .authorizeRequests()
                .antMatchers("/**").hasAnyRole("USER");
            http.formLogin()
                .successHandler(successHandler)
                .failureHandler(failureHandler)
                .loginPage("/login/user").permitAll();

emmmm,我在弹簧安全性方面不太了解这种机制

1 个答案:

答案 0 :(得分:0)

请参阅类似的Multiple websecurityconfigureradapter 问题中给出的答案。您可能需要覆盖两者中的AuthenticationManagerBuilder,而不是自动装配它们中的任何一个。

相关问题
最新问题