3
配置兩個HttpSecurity設置
我按照從official documentation如何配置兩個單獨的HttpSecurity
情況下,建議:未能與JavaConfig
@Configuration
@EnableWebSecurity
public class SoWebSecurityConfig
{
@Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(username -> {
log.info("\n\n\n ********* authenticating {} ************************************\n\n\n", username);
return new User(username, "", asList(new SimpleGrantedAuthority("TV")));
});
}
@Configuration
@Order(1)
public static class SwiperSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception { configureHttpSec(http, "/swiper"); }
}
@Configuration
@Order(2)
public static class TvSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception { configureHttpSec(http, "/tv"); }
}
static HttpSecurity configureHttpSec(HttpSecurity http, String urlBase) throws Exception {
http .csrf().disable()
.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint())
.and() .authorizeRequests().antMatchers(urlBase+"/**").authenticated()
.and() .httpBasic()
.and() .logout().logoutUrl(urlBase+"/logout").logoutSuccessHandler((req,resp,auth) -> {})
;
return http;
}
}
在日誌中我看到正在創建兩個過濾鏈:
2014-06-30 12:44:22 main INFO o.s.s.w.DefaultSecurityFilterChain - Creating filter chain: [email protected]1, [org.springframework.security.web.context.request.as
[email protected], org.spring[email protected]1937eaff, [email protected]308, org.springfr
[email protected], org.springfram[email protected]9b9a327, org.springframework.security.web.savedrequest.RequestCach
[email protected], org.springframework.[email protected]67064bdc, org.springfram[email protected]78b612c6, org.s
[email protected]ceef, org[email protected]6e7c351d, org.springframework.security.web.access.intercept.FilterSecurit
[email protected]]
2014-06-30 12:44:22 main INFO o.s.s.w.DefaultSecurityFilterChain - Creating filter chain: [email protected]1, [org.springframework.security.web.context.request.as
[email protected], org.spring[email protected]427ae189, [email protected]fd9, org.spring
[email protected]35, org.springfram[email protected]514de325, org.springframework.security.web.savedrequest.RequestC
[email protected], org.springframework.[email protected]76332405, org.springfram[email protected]43a65cd8, or
[email protected]fba233d, org[email protected]376c7d7d, org.springframework.security.web.access.intercept.FilterSecu
[email protected]]
但只有我指定的一個Order(1)
纔會真正被使用;與另一個URL匹配的URL將不會被認證。
我也嘗試過使用anyRequest()
代替螞蟻匹配器來配置@Order(2)
配置,但是結果相同。
我有什麼辦法可以解決這個問題?
我使用Spring 4.0.5,Spring Security 3.2.4。
您是否嘗試過更換configureHttpSec(HTTP,「/ TV」);使用http.antMatcher(「/ tv」)和http.antMatcher(「/ swipe」)並在每個下創建授權配置文件以反映差異? – Aeseir
@Aeseir這正是我的問題是:)偉大的眼睛!我多次閱讀文檔示例,但仍然錯過了應用螞蟻匹配器的細微差別。請取消刪除您的答案,以便我可以接受。我會稍微編輯一下,以更好地突出問題和解決方案的原因。 –
完成。很高興我能夠協助。 – Aeseir