Spring Security-多个安全性配置要求-向现有的REST API身份验证添加基本身份验证

时间:2019-12-19 23:44:03

标签: java spring spring-boot

我有一个具有以下安全配置的REST API-

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private final Logger logger = LoggerFactory.getLogger(this.getClass());

    @Value("${auth0.audience}")
    private String audience;

    @Value("${auth0.issuer}")
    private String issuer;

    @Override
    protected void configure(HttpSecurity http) {
        try {
            http.authorizeRequests()
                    .antMatchers("/").permitAll()
                    .antMatchers("/purch").authenticated()
                    .antMatchers("/purch2").authenticated();

            JwtWebSecurityConfigurer
                    .forRS256(audience, issuer)
                    .configure(http);
        } catch (Exception ex) {
            throw new AuthenticationException(ex.getMessage());
        }
    }
}

我为此REST API添加了Swagger文档,并且我正尝试使用this example

使用HTTP Basic Auth保护Swagger文档。

因此,我用@Order(1)更新了上面的WebSecurityConfig,并用Order(2)添加了新的WebSecurityConfig,如下所示-

@Configuration
@Order(2)
public class SwaggerSecurity extends WebSecurityConfigurerAdapter {

    private static final String[] AUTH_LIST = { //
            "**/v2/api-docs", //
            "**/configuration/ui", //
            "**/swagger-resources", //
            "**/configuration/security", //
            "**/swagger-ui.html", //
            "**/webjars/**" //
    };

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers(AUTH_LIST).authenticated().and().httpBasic();
    }

    //@Override
    @Autowired
    protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user").password(passwordEncoder().encode("password")).roles("USER")
                .and()
                .withUser("admin").password(passwordEncoder().encode("admin")).roles("USER", "ADMIN");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

这似乎没有任何效果,并且不提示输入基本身份验证凭据。 我尝试了hereherehere的几种答案组合...但是我无法正常工作!

我能够使独立的Order(2) Spring Web安全配置按预期工作,而没有与Order(1)安全配置结合使用。

正如您从我的问题中看到的那样,我不是Spring Security的专家,因此尝试了尽可能多的调试!在失去了几个小时之后,我开始寻求帮助。任何帮助表示赞赏。谢谢。

根据评论进行更新: 我已经尝试过结合类似于herehere的Web安全配置类。结果是我的原始REST API受“授权标头”承载身份验证保护,现在被基本身份验证覆盖。

可能是,我的问题是-如何确保一个Web安全配置不会覆盖另一个Web安全配置?

@Configuration
@Order(2)
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private final Logger logger = LoggerFactory.getLogger(this.getClass());

    @Value("${auth0.audience}")
    private String audience;

    @Value("${auth0.issuer}")
    private String issuer;

    @Override
    protected void configure(HttpSecurity http) {
        try {
            http.authorizeRequests()
                    .antMatchers("/").permitAll()
                    .antMatchers("/purch").authenticated()
                    .antMatchers("/purch2").authenticated();

            JwtWebSecurityConfigurer
                    .forRS256(audience, issuer)
                    .configure(http);
        } catch (Exception ex) {
            throw new AuthenticationException(ex.getMessage());
        }
    }

    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        private static final String[] AUTH_LIST = { //
                "/v2/api-docs", //
                "/configuration/ui", //
                "/swagger-resources", //
                "/configuration/security", //
                "/swagger-ui.html", //
                "/webjars/**" //
        };

        protected void configure(HttpSecurity http) throws Exception {
            http
               .authorizeRequests().antMatchers("/purch/**").permitAll().and()
                    .authorizeRequests()
                    .antMatchers(AUTH_LIST)
                    .authenticated()
                    .and()
                    .httpBasic();
        }

        @Autowired
        protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth.inMemoryAuthentication()
                    .withUser("user").password(passwordEncoder().encode("password")).roles("USER")
                    .and()
                    .withUser("admin").password(passwordEncoder().encode("admin")).roles("USER", "ADMIN");
        }

        @Bean
        public PasswordEncoder passwordEncoder() {
            return new BCryptPasswordEncoder();
        }
    }
}

1 个答案:

答案 0 :(得分:0)

您似乎混淆了从不同来源收集的内容。请尝试以下配置。

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    // Firs this configuration will apply since the order is 1
    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        protected void configure(HttpSecurity http) throws Exception {
            // configure auth modes and path matchers
        }
    }

    // Since there is no @Order annotation, this will be checked at last
    @Configuration
    public static class MvcWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        protected void configure(HttpSecurity http) throws Exception {
            // configure auth modes and path matchers
        }
    }
}
相关问题
最新问题