我正在尝试建立一个包含以下内容的后端:
为此,我尝试设置单独的SpringSecurity过滤器链:
不幸的是,尽管使用antMatchers(..),我在组合它们时还是遇到了问题: -如果我优先使用JWT筛选器,则永远不会触发HttpBasic身份验证 -如果我优先使用HttpBasic过滤器,则我的登录名(HttpMethod.POST)被拒绝为不支持的HTTP方法。
怎么了?
AdminSecurityConfiguration.java
@Configuration
@EnableWebMvcSecurity
@Order(1)
public class AdminSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
AdminUserDetailsServiceImpl adminUserDetailsService;
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
public static int ADMIN_TOKEN_EXPIRATION_HOURS = 4;
public static String ADMIN_SECRET_KEY = "CHANGED_FOR_STACKOVERFLOW";
public static final String TOKEN_PREFIX = "CHANGED_FOR_STACKOVERFLOW";
public static final String HEADER_STRING = "Authorization";
@Override
protected void configure(HttpSecurity http) throws Exception {
AdminJWTAuthenticationFilter authenticationFilter = new AdminJWTAuthenticationFilter(authenticationManager());
authenticationFilter.setFilterProcessesUrl(
URLsAdmin.Login);
AdminJWTAuthorizationFilter authorizationFilter = new AdminJWTAuthorizationFilter(authenticationManager());
http
.csrf().disable()
/**
* ADMIN CALLS
*/
.authorizeRequests()
.antMatchers(HttpMethod.POST, URLsAdmin.Login, URLsAdmin.Register).permitAll()
.antMatchers(HttpMethod.GET,URLsAdmin.restGetAdminSystemParameterMaintenanceMode).permitAll()
.antMatchers("/admin/*", "/admin/*/*", "/admin/*/*/*").authenticated().and()
.addFilter(authenticationFilter).addFilter(authorizationFilter)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)//disable session creation on spring security
;
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(adminUserDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
}
JavaMelodySecurityConfiguration.java
@Configuration
@EnableWebMvcSecurity
@Order(2)
public class JavaMelodySecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
AdminUserDetailsServiceImpl adminUserDetailsService;
private MyBasicAuthenticationEntryPoint authenticationEntryPoint = new MyBasicAuthenticationEntryPoint();
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(URLsAdmin.JavaMelody) /* THIS IS "/monitoring" */
.authenticated()
.and()
.httpBasic()
.authenticationEntryPoint(authenticationEntryPoint)
;
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(adminUserDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
public class MyBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint {
@Override
public void commence(
HttpServletRequest request, HttpServletResponse response, AuthenticationException authEx)
throws IOException, ServletException {
response.addHeader("WWW-Authenticate", "Basic realm=" + getRealmName() + "");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
PrintWriter writer = response.getWriter();
writer.println("HTTP Status 401 - " + authEx.getMessage());
}
@Override
public void afterPropertiesSet() throws Exception {
setRealmName("SALauncher");
super.afterPropertiesSet();
}
};
}