我正在尝试在我的应用程序中进行Spring Security中的UI表单身份验证和REST的Basic身份验证。我根据问题Combining basic authentication and form login for the same REST Api中的一个创建了配置,但是配置无法正常运行。 REST服务的表单身份验证将覆盖基本身份验证。对于评论,我看到这种方法从Spring Security 5开始就被打破了。我想知道为什么现在它被打破了,是否有可能对其进行修复或使用其他方法使Security能够按我期望的那样工作。
我使用Spring Boot 2.2.6,这是我的Spring Security配置
@EnableWebSecurity
public class SecurityConfiguration {
@Bean
public UserDetailsService userDetailsService(UserRepository userRepository) {
return new UserAuthService(userRepository);
}
@Autowired
public void authConfigure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user")
.password("password")
.roles("USER").and()
.withUser("admin")
.password("password")
.roles("USER", "ADMIN");
}
@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/**")
.authorizeRequests()
.anyRequest()
.hasAnyRole("ADMIN", "GUEST")
.and()
.httpBasic(Customizer.withDefaults());
}
}
@Configuration
@Order(2)
public static class UiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/*").permitAll()
.antMatchers("/person/**").permitAll()
.antMatchers("/user/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin(Customizer.withDefaults());
}
}
}