我使用两种不同的WebSecurityConfigurerAdapter配置重定向到admin和user之间的不同登录页面。
当用户名和密码数据发布到/ login /用户界面时,用户页获得http状态码405方法时,管理员页面工作正常
我进行了很多搜索,有人说需要禁用csrf,但是我已经禁用了它。
这是我的下面的代码
@EnableWebSecurity
public class MultiHttpSecurityConfig {
/**
* intercept user url
*/
@Configuration
@Order(1)
public static class UserWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
CustomAuthenticationSuccessHandler successHandler;
@Autowired
CustomAuthenticationFailureHandler failureHandler;
@Autowired
private CustomAuthenticationProvider customAuthProvider;
@Autowired
private CustomUserDetailsService userDetailsService;
@Value("${my.cookie.timeout}")
private int cookieTimeOut;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.requestMatchers()
.antMatchers("/bbb/**", "/aaa/**")
.and()
.authorizeRequests()
.antMatchers("/**").hasAnyRole("USER");
http.formLogin()
.successHandler(successHandler)
.failureHandler(failureHandler)
.loginPage("/login/user").permitAll();
http.logout().permitAll();
http.rememberMe().key("uniqueAndSecret").tokenValiditySeconds(cookieTimeOut);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthProvider);
auth.userDetailsService(userDetailsService);
}
}
/**
* intercept admin url
*/
@Configuration
public static class AdminWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
CustomAuthenticationSuccessHandler successHandler;
@Autowired
CustomAuthenticationFailureHandler failureHandler;
@Value("${my.cookie.timeout}")
private int cookieTimeOut;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
.antMatchers("/ccc/**","/dddd").hasAnyRole("ADMIN");
http.formLogin()
.successHandler(successHandler)
.failureHandler(failureHandler)
.loginPage("/login/admin").permitAll();
http.logout().permitAll();
http.rememberMe().key("uniqueAndSecret").tokenValiditySeconds(cookieTimeOut);
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("test").password("test").roles("ADMIN");
}
}
}
更新: 将“ / login / user”添加到用户模式后,它可以正常工作。
http.requestMatchers()
.antMatchers("/dl/**", "/reinstall/**","/login/user/**")
.and()
.authorizeRequests()
.antMatchers("/**").hasAnyRole("USER");
http.formLogin()
.successHandler(successHandler)
.failureHandler(failureHandler)
.loginPage("/login/user").permitAll();
emmmm,我在弹簧安全性方面不太了解这种机制
答案 0 :(得分:0)
请参阅类似的Multiple websecurityconfigureradapter 问题中给出的答案。您可能需要覆盖两者中的AuthenticationManagerBuilder,而不是自动装配它们中的任何一个。