1. 首頁
  2. 問答
  3. 未能與JavaConfig

未能與JavaConfig

2014-06-30 36 views
3
配置兩個HttpSecurity設置

我按照從official documentation如何配置兩個單獨的HttpSecurity情況下,建議:未能與JavaConfig

@Configuration 
@EnableWebSecurity 
public class SoWebSecurityConfig 
{ 
    @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { 
    auth.userDetailsService(username -> { 
     log.info("\n\n\n ********* authenticating {} ************************************\n\n\n", username); 
     return new User(username, "", asList(new SimpleGrantedAuthority("TV"))); 
    }); 
    } 

    @Configuration 
    @Order(1) 
    public static class SwiperSecurityConfig extends WebSecurityConfigurerAdapter { 
    @Override 
    protected void configure(HttpSecurity http) throws Exception { configureHttpSec(http, "/swiper"); } 
    } 

    @Configuration 
    @Order(2) 
    public static class TvSecurityConfig extends WebSecurityConfigurerAdapter { 
    @Override 
    protected void configure(HttpSecurity http) throws Exception { configureHttpSec(http, "/tv"); } 
    } 

    static HttpSecurity configureHttpSec(HttpSecurity http, String urlBase) throws Exception { 
    http .csrf().disable() 
      .exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()) 
    .and() .authorizeRequests().antMatchers(urlBase+"/**").authenticated() 
    .and() .httpBasic() 
    .and() .logout().logoutUrl(urlBase+"/logout").logoutSuccessHandler((req,resp,auth) -> {}) 
    ; 
    return http; 
    } 
}

在日誌中我看到正在創建兩個過濾鏈:

2014-06-30 12:44:22 main INFO o.s.s.w.DefaultSecurityFilterChain - Creating filter chain: [email protected]1, [org.springframework.security.web.context.request.as 
[email protected], org.spring[email protected]1937eaff, [email protected]308, org.springfr 
[email protected], org.springfram[email protected]9b9a327, org.springframework.security.web.savedrequest.RequestCach 
[email protected], org.springframework.[email protected]67064bdc, org.springfram[email protected]78b612c6, org.s 
[email protected]ceef, org[email protected]6e7c351d, org.springframework.security.web.access.intercept.FilterSecurit 
[email protected]] 
2014-06-30 12:44:22 main INFO o.s.s.w.DefaultSecurityFilterChain - Creating filter chain: [email protected]1, [org.springframework.security.web.context.request.as 
[email protected], org.spring[email protected]427ae189, [email protected]fd9, org.spring 
[email protected]35, org.springfram[email protected]514de325, org.springframework.security.web.savedrequest.RequestC 
[email protected], org.springframework.[email protected]76332405, org.springfram[email protected]43a65cd8, or 
[email protected]fba233d, org[email protected]376c7d7d, org.springframework.security.web.access.intercept.FilterSecu 
[email protected]]

但只有我指定的一個Order(1)纔會真正被使用;與另一個URL匹配的URL將不會被認證。

我也嘗試過使用anyRequest()代替螞蟻匹配器來配置@Order(2)配置,但是結果相同。

我有什麼辦法可以解決這個問題?

我使用Spring 4.0.5,Spring Security 3.2.4。

來源

2014-06-30 Marko Topolnik

+0

您是否嘗試過更換configureHttpSec(HTTP,「/ TV」);使用http.antMatcher(「/ tv」)和http.antMatcher(「/ swipe」)並在每個下創建授權配置文件以反映差異? – Aeseir

+0

@Aeseir這正是我的問題是:)偉大的眼睛!我多次閱讀文檔示例,但仍然錯過了應用螞蟻匹配器的細微差別。請取消刪除您的答案,以便我可以接受。我會稍微編輯一下,以更好地突出問題和解決方案的原因。 –

+0

完成。很高興我能夠協助。 – Aeseir

回答

4

您未能在一個關鍵方面遵循文檔。你有

http.authorizeRequests().antMatchers(urlBase+"/**").authenticated()

這意味着你註冊這個HttpSecurity作爲一個全球性的安全模塊,它適用於所有網址,但只需要在那些螞蟻匹配選擇的認證。當你這樣做兩次時,你會得到兩個鏈式的全局安全模塊,所以自然只有第一個將負責所有的URL。

的文檔,而不是建議這樣的:

http.antMatcher(urlBase+"/**").authorizeRequests().anyRequest().authenticated()

這意味着螞蟻匹配將用來選擇哪個URL這個安全模塊負責,並繞過它爲所有其他人。這樣,適當的時候,排隊的第二個模塊就有機會了。

因此,所有你需要做的就是調整您的靜態配置者的方法如下:

static HttpSecurity configureHttpSec(HttpSecurity http, String urlBase) throws Exception { 
    http .csrf().disable() 
      .exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint()) 
    .and() .antMatchers(urlBase+"/**").authorizeRequests().anyRequest().authenticated() 
    .and() .httpBasic() 
    .and() .logout().logoutUrl(urlBase+"/logout").logoutSuccessHandler((req,resp,auth) -> {}) 
    ; 
    return http; 
    }

來源

2014-07-01 02:37:02 Aeseir

相關問題

 相關問題